We help IT Professionals succeed at work.
Get Started

Tunneling internet traffic accross site to site VPN

147 Views
Last Modified: 2017-10-08
Hi all,

I see a lot of people asking the same question on google however not a lot of solutions other than a proxy at the internet facing end of the tunnel. I'm looking to understand why it doesn't work rather than alternative solutions

My Objective: I'm an expat living in Malaysia trying to access Aussie TV. I have decent internet, so does my father in Australia.
Planned Solution: As I have two internet connections in my condo, on one of them set up site to site vpn to fathers home, tunnel all traffic through to dads place. configure gateway on all my tv devices to point to my second internet link.

Looking at the configs, I was thinking I can see that perhaps the internet traffic from routerB can get out through nat on routerA however struggles to get back to the source as the tunnel ACL doesn't allow anything other than traffic with a source ip matching 192.168.10.x. However I have set up on a friends router (also cisco) to debug icmp and when I ping it from router A I see the packets however from router b I don't. suggesting that my traffic from router B is not even being ingested by the Nat overload statement. Of course I have the acl configured to do that. Again looking for the reason why not alternative solutions, tying to learn here.

Devices both ends cisco 871 (upgrading soon to something with GBE)
Dads Place RouterA
My Place RouterB


Configs (I've removed anything I believe is unnecessary to see)

Version 12.2

!
hostname routerA
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile VTI
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TS
 match address VPN-TRAFFIC
!
!

!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname lllllll@timebb
 ppp chap password 0 llllll
 ppp pap sent-username n111111@timebb password 0 lllll
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map CMAP
!
ip forward-protocol nd
!
ip nat inside source list 190 interface Dialer1 overload

!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 190 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.30.0 0.0.0.255 any
access-list 190 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!

!
end


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routerB
!
!
!
no aaa new-model
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxx@timebb
 ppp chap password 0 xxxx
 ppp pap sent-username xxxx@timebb password 0 xxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map CMAP
!
ip forward-protocol nd
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.30.0 0.0.0.255 any
!
access-list 23 permit 192.168.30.0 0.0.0.255
!
!
!
!
control-plane
!

end
Comment
Watch Question
CERTIFIED EXPERT
Distinguished Expert 2020
Commented:
This problem has been solved!
Unlock 2 Answers and 9 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE