Solved

Tunnel Internet Traffic over Cisco VPN Tunnel

Posted on 2010-08-18
4
1,038 Views
Last Modified: 2012-05-10
I have several locations connected with IPSec VPNs and for a single IP at the location 3, I would like to tunnel all internet traffic through the IPSec VPN tunnel to location 1. I'm not sure what I need to change on the config for both locations. They both use Cisco 2811 routers.

Location 1 Private Addressing: 192.168.1.0/24
Location 1 Cisco 2811: 192.168.1.254
Location 2 Private Addressing: 192.168.8.0/24
Location 2 Cisco 2811: 192.168.8.254
Location 3 Private Addressing: 192.168.11.0/24
Location 3 Cisco 2811: 192.168.11.254

The Location 3 IP I want to route internet traffic through Location 1's internet is: 192.168.11.245


This is the config from location 3:

ip inspect name inspect-basic appfw inspect-basic
ip inspect name inspect-basic cuseeme
ip inspect name inspect-basic dns
ip inspect name inspect-basic ftp
ip inspect name inspect-basic h323
ip inspect name inspect-basic https
ip inspect name inspect-basic icmp
ip inspect name inspect-basic imap
ip inspect name inspect-basic pop3
ip inspect name inspect-basic netshow
ip inspect name inspect-basic rcmd
ip inspect name inspect-basic realaudio
ip inspect name inspect-basic rtsp
ip inspect name inspect-basic esmtp
ip inspect name inspect-basic sqlnet
ip inspect name inspect-basic streamworks
ip inspect name inspect-basic tftp
ip inspect name inspect-basic tcp
ip inspect name inspect-basic udp
ip inspect name inspect-basic vdolive
ip inspect name inspect-basic http java-list 51 urlfilter
!
appfw policy-name inspect-basic
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
password encryption aes
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 hash md5
 authentication pre-share
!
crypto isakmp policy 81
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <tunnel 1 shared key info>
crypto isakmp key <tunnel 2 shared key info>
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map ra-dynmap-1 1
 set transform-set ESP-3DES-MD5
 reverse-route
!
!
crypto map corporate-vpn-map 1 ipsec-isakmp
 description <tunnel 1>
 set peer <tunnel 1 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 1>-vpn-acl
crypto map corporate-vpn-map 2 ipsec-isakmp
 description <tunnel 2>
 set peer <tunnel 2 ip>
 set transform-set ESP-3DES-MD5
 match address <tunnel 2>-vpn-acl
!
!
!
interface FastEthernet0/0
 ip address <public ip> 255.255.255.248
 ip access-group acl-wan-in in
 ip inspect inspect-basic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map corporate-vpn-map
!
interface FastEthernet0/1
 ip address 192.168.11.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <gateway ip>
!
!
ip http server
no ip http secure-server
ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-wan-in
 permit udp any host <public ip> eq non500-isakmp
 permit udp any host <public ip> eq isakmp
 permit esp any host <public ip>
 permit ahp any host <public ip>
 permit tcp any host <public ip> eq 4949
 deny   ip any any log
ip access-list extended <tunnel 1>-vpn-acl
 remark <tunnel 1> VPN rules
 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254
ip access-list extended block-vpn-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.250.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map block-vpn-on-nat permit 10
 match ip address block-vpn-acl

--------------------------------------------------------------------------------
The config in location 1's router is the same except the IPs are reversed. What commands do I need to add to both configs to make this work?
0
Comment
Question by:_valkyrie_
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33464247
Change

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


To

ip access-list extended <tunnel 2>-vpn-acl
 remark VPN to <tunnel 2>
 permit ip 192.168.11.x 255.255.255.255 any
 permit ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.254


Where the ".x" is the IP you are tracking
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33464319
since u dont need to use the local internet at site 3 ; please note for ur requirement the whole traffic will go through the tunnel

at site 3

1) no ip nat inside source route-map block-vpn-on-nat interface FastEthernet0/0 overload

2) int f0/0
    no ip nat outside
     int f0/1
    no ip nat inside

3) i hope below is the tunnel config for site 1
crypto map corporate-vpn-map 1 ipsec-isakmp

so type

ip access-list extended -vpn-acl
permit ip 192.168.11.0 0.0.0.255 any



at site 1 router

crypto acl for site1 has to be modified like this

ip access-list extended -vpn-acl
permit ip any 192.168.11.0 0.0.0.255


0
 
LVL 2

Author Comment

by:_valkyrie_
ID: 33467599
bgoering: I'll try that solution tonight at the plant.

anoopkmr: I don't want traffic for the entire subnet to go through there, just a single IP's internet traffic: 192.168.11.245
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33467683
ohh sorry I didn't notice that, thanks for the correction
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to setup VPN onCisco RV016 8 51
EIGRP Full Mesh 2 62
Some issue on SecurityCRT 5 25
Which is more secure: EAP or machine certificate for IKEv2 VPN? 1 40
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now