troubleshooting Question

Tunneling internet traffic accross site to site VPN

Avatar of Michael
Michael asked on
CiscoInternet Protocol SecurityVPNRouters
9 Comments2 Solutions151 ViewsLast Modified:
Hi all,

I see a lot of people asking the same question on google however not a lot of solutions other than a proxy at the internet facing end of the tunnel. I'm looking to understand why it doesn't work rather than alternative solutions

My Objective: I'm an expat living in Malaysia trying to access Aussie TV. I have decent internet, so does my father in Australia.
Planned Solution: As I have two internet connections in my condo, on one of them set up site to site vpn to fathers home, tunnel all traffic through to dads place. configure gateway on all my tv devices to point to my second internet link.

Looking at the configs, I was thinking I can see that perhaps the internet traffic from routerB can get out through nat on routerA however struggles to get back to the source as the tunnel ACL doesn't allow anything other than traffic with a source ip matching 192.168.10.x. However I have set up on a friends router (also cisco) to debug icmp and when I ping it from router A I see the packets however from router b I don't. suggesting that my traffic from router B is not even being ingested by the Nat overload statement. Of course I have the acl configured to do that. Again looking for the reason why not alternative solutions, tying to learn here.

Devices both ends cisco 871 (upgrading soon to something with GBE)
Dads Place RouterA
My Place RouterB


Configs (I've removed anything I believe is unnecessary to see)

Version 12.2

!
hostname routerA
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile VTI
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TS
 match address VPN-TRAFFIC
!
!

!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname lllllll@timebb
 ppp chap password 0 llllll
 ppp pap sent-username n111111@timebb password 0 lllll
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map CMAP
!
ip forward-protocol nd
!
ip nat inside source list 190 interface Dialer1 overload

!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 190 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.30.0 0.0.0.255 any
access-list 190 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!

!
end


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routerB
!
!
!
no aaa new-model
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxx@timebb
 ppp chap password 0 xxxx
 ppp pap sent-username xxxx@timebb password 0 xxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map CMAP
!
ip forward-protocol nd
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.30.0 0.0.0.255 any
!
access-list 23 permit 192.168.30.0 0.0.0.255
!
!
!
!
control-plane
!

end
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 2 Answers and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros