Cisco 877 Site to Site VPN allowing multiple Vlan Access

HI there,

We have an 877 that has is creating a site to site VPN. At the moment, Vlan1 (192.168.101.0/24) has full access to the remote server. What we need now is another subnet access to this remote site. I'm thinking of adding the second vlan on the Cisco, assigning vlan 2 to a port, and getting the subnet added to the crytpomap. I want this second subnet (well a server - 192.168.200.2) only to access the remote site (specific port 3277) , not  vlan1. Here is the current config. What else do I need to add?

Cisco-COnfig.txt
greentriangleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
You need to reconfigure the VPN device on the other end of the connection.
0
greentriangleAuthor Commented:
That has been done to allow 192.168.200.0/24
0
asavenerCommented:
The access lists for the interesting traffic have to be complementary.

Example:

Router  A:
ip access-list extended VPN1
permit tcp host 192.168.200.2 10.1.2.0 0.0.0.255 eq 3277

Router B:
ip access-lists extended VPN1
permit tcp 10.1.2.0 0.0.0.255 eq 3277 host 192.168.200.2


If they are not exactly complementary, then the IPSec security association will not get created.
0
Benjamin Van DitmarsCommented:
Youre config looks like a small project i did a while ago. i changed to code for you.



Current configuration : 2337 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set mVPNset esp-3des esp-sha-hmac
!
crypto map mvpnmap 1 ipsec-isakmp
 set peer x.x.x.x
 set security-association lifetime kilobytes 536870912
 set security-association lifetime seconds 86400
 set transform-set mVPNset
 match address TRAFFIC-TO-VPN
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
 shutdown
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 no shutdown
 switchport mode access
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.101.250 255.255.255.0
 ip access-group VLAN1-OUT in
 ip nat inside
 no ip virtual-reassembly in
 ip tcp adjust-mss 1420
 no autostate
!
interface Vlan2
 ip address 192.168.200.250 255.255.255.0
 ip access-group VLAN2-OUT in
 ip nat inside
 no ip virtual-reassembly in
 ip tcp adjust-mss 1420
 no autostate
!
interface Dialer1
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp chap hostname ***********
 ppp chap password 0 **********
 crypto map mvpnmap
!
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
!
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map ALLOW-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended VLAN2-OUT
 deny   ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255
 permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended VLAN1-OUT
 deny   ip 192.168.101.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.101.0 0.0.0.255 any
ip access-list extended NAT-POOL
 deny   ip 192.168.101.0 0.0.0.255 206.187.32.0 0.0.0.2
 deny   ip 192.168.200.0 0.0.0.255 206.187.32.0 0.0.0.255
 permit ip 192.168.101.0 0.0.0.255 any
 permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended TRAFFIC-TO-VPN
 permit ip 192.168.101.0 0.0.0.255 206.187.32.0 0.0.0.255
 permit ip 192.168.200.0 0.0.0.255 206.187.32.0 0.0.0.255
 deny   ip any any
!
dialer-list 1 protocol ip permit
!
route-map ALLOW-NAT permit 10
 match ip address NAT-POOL
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 
 login
!
scheduler max-task-time 5000
end

i always use extended access lists to make everything more understanding

Cheers

Benjamin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.