Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Tunnel Internet Traffic over Cisco VPN Tunnel

Posted on 2010-08-18
4
1,042 Views
Last Modified: 2012-05-10
I have several locations connected with IPSec VPNs and for a single IP at the location 3, I would like to tunnel all internet traffic through the IPSec VPN tunnel to location 1. I'm not sure what I need to change on the config for both locations. They both use Cisco 2811 routers.

Location 1 Private Addressing: 192.168.1.0/24
Location 1 Cisco 2811: 192.168.1.254
Location 2 Private Addressing: 192.168.8.0/24
Location 2 Cisco 2811: 192.168.8.254
Location 3 Private Addressing: 192.168.11.0/24
Location 3 Cisco 2811: 192.168.11.254

The Location 3 IP I want to route internet traffic through Location 1's internet is: 192.168.11.245


This is the config from location 3:

ip inspect name inspect-basic appfw inspect-basic
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic https
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic http java-list 51 urlfilter
!
appfw policy-name inspect-basic
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
password encryption aes
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 hash md5
 authentication pre-share
!
crypto isakmp policy 81
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <tunnel 1 shared key info>
crypto isakmp key <tunnel 2 shared key info>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map ra-dynmap-1 1
 set transform-set ESP-3DES-MD5
 reverse-route
!
!
crypto map corporate-vpn-map 1 ipsec-isakmp
 description <tunnel 1>
 set peer <tunnel 1 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 1>-vpn-acl
crypto map corporate-vpn-map 2 ipsec-isakmp
 description <tunnel 2>
 set peer <tunnel 2 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 2>-vpn-acl
!
!
!
interface FastEthernet0/0
 ip address <public ip> 255.255.255.248
 ip access-group acl-wan-in in
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map corporate-vpn-map
!
interface FastEthernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
!
!
ip http server
no ip http secure-server
ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-wan-in
 permit udp any host <public ip> eq non500-isakmp
 permit udp any host <public ip> eq isakmp
 permit esp any host <public ip>
 permit ahp any host <public ip>
 permit tcp any host <public ip> eq 4949
 deny   ip any any log
ip access-list extended <tunnel 1>-vpn-acl
 remark <tunnel 1> VPN rules
 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254
ip access-list extended block-vpn-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.250.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map block-vpn-on-nat permit 10
 match ip address block-vpn-acl

--------------------------------------------------------------------------------
The config in location 1's router is the same except the IPs are reversed. What commands do I need to add to both configs to make this work?
0
Comment
Question by:_valkyrie_
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33464247
Change

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


To

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.x 255.255.255.255 any
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


Where the ".x" is the IP you are tracking
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33464319
since u dont need to use the local internet at site 3 ; please note for ur requirement the whole traffic will go through the tunnel

at site 3

1) no ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload

2) int f0/0
    no ip nat outside
     int f0/1
    no ip nat inside

3) i hope below is the tunnel config for site 1
crypto map corporate-vpn-map 1 ipsec-isakmp

so type

ip access-list extended -vpn-acl
permit ip 192.168.11.0 0.0.0.255 any



at site 1 router

crypto acl for site1 has to be modified like this

ip access-list extended -vpn-acl
permit ip any 192.168.11.0 0.0.0.255


0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 33467599
bgoering: I'll try that solution tonight at the plant.

anoopkmr: I don't want traffic for the entire subnet to go through there, just a single IP's internet traffic: 192.168.11.245
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33467683
ohh sorry I didn't notice that, thanks for the correction
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall TZ 205- Dropping Incoming E-mail as IP Spoof 13 229
ASA - RV130 VPN tunnel, cannot pass traffic 8 79
Cost effective dual wan w/ qos 5 49
EIGRP Bandwidth 9 18
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question