Solved: Re: passing all traffic through VPN tunnel - Page 2

VeselinAtanasov1966 · ‎10-11-2019

part of the config cisco router office 2:

interface Tunnel1

description "Internet Tunnel"

bandwidth 1000

ip address 172.30.2.226 255.255.255.0

ip mtu 1400

ip nhrp authentication XXX

ip nhrp map 172.30.2.200 public IP address office 3

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 172.30.2.200

ip tcp adjust-mss 1300

delay 1000

tunnel source GigabitEthernet9

tunnel destination public IP address office 3

tunnel key 100000

tunnel protection ipsec xxxxxxxx

interface GigabitEthernet9

description "To Internet "

ip address public IP address office 2

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

interface GigabitEthernet4

switchport access vlan 20

no ip address

interface Vlan20

description "Users Vlan"

ip address 192.168.226.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

router eigrp 100

network 1

network 2

network 172.30.2.0 0.0.0.255

network 192.168.226.0

passive-interface Vlan20

ip nat inside source list 100 interface GigabitEthernet9 overload

ip route 0.0.0.0 0.0.0.0 public IP address office 2

part of the config cisco router office 3:

interface Tunnel1

description "Internet Tunnel"

bandwidth 15000

ip address 172.30.2.200 255.255.255.0

no ip redirects

ip mtu 1400

no ip split-horizon eigrp 100

ip nhrp authentication xxx

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1300

delay 1000

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec xxxx

interface GigabitEthernet0/0/0

encapsulation dot1Q

ip address public IP address office 3

I would like to ask if it is possible and if so, how to change the configuration of the two Cisco routers in office 2 and 3 so that all traffic from office 2 to the internet goes through the tunnel. I would like office 2 users to go online from Cisco ASA in office 3.

At present, only traffic to private networks passes through the tunnel.

VeselinAtanasov1966 · ‎10-15-2019

Hi

thank you for the advice!

Now I've explored traffic through Cisco ASA in office 3.

Internal address cisco ASA in office 2 is 192.168.108.2

From laptop in private lan in office 2

In Real-time log viewer on cisco asa I can view that I can successfully ping 192.168.108.2

But I cannot ping external ( public) IP address.

No any traffic go to cisco ASA from laptop when try ping to any public address.

I'm not sure internet traffic from office 2 goes through the tunnel!!!

Deepak Kumar · ‎10-15-2019

Hi,

Please share the router configuration (HUB) which is seating in the Office3.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

VeselinAtanasov1966 · ‎10-15-2019

thank you for the advice!

Now I've explored traffic through Cisco ASA in office 3.

Internal address cisco ASA in office 2 is 192.168.108.2

From laptop in private lan in office 2

In Real-time log viewer on cisco asa I can view that I can successfully ping 192.168.108.2

But I cannot ping external ( public) IP address.

No any traffic go to cisco ASA from laptop when try ping to any public address.

I'm not sure that internet traffic goes through the tunnel!!!

VeselinAtanasov1966 · ‎10-15-2019

Now I try tracert from laptop in office 2

tracert 192.168.108.2 ( internal address Cisco ASA, this address NAT ing to publlic address ASA)

1 ........... 192.168.226.1

2. ..........172.30.2.200

3. .......... 192.168.200.2

4. ........... 192.168.108.2

tracert 194.145.63.12 ( public ip address to one internet site)

1. ........ 192.168.226.1

2. 192.168.226.1 reports: Destination host unreachable

Deepak Kumar · ‎10-15-2019

Hi,
For testing purpose add an IP route on the spoke:
Ip route 0.0.0.0 0.0.0.0 172.30.2.200

As you are use EIGRP so it is not reconnected due to extra configuration needed by static route but it is for testing purposes only.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

VeselinAtanasov1966 · ‎10-16-2019

Hi

now add ip route 0.0.0.0 0.0.0.0 172.30.2.200

ping 8.8.8.8 from laptop

Request time out.

currently, users from office 1 with network 192.168.202.0/24 are connecting via private network 10.141.x.x with tunnel 1 of cisco hub, they have access to private networks and have access to the internet via cisso ASA, user from office 2 with network 192.168.226.0/24 are connecting via Internet with tunnel 0 of cisco hub, they have access to private networks but they do not have access to internet.

I see a difference between tunnel configuration> ip policy route-map ROUTE_THROUGH_ASA in tunnel 1,

for any case I add ip policy route-map ROUTE_THROUGH_ASA in tunnel 0, but the result is the same, user in office 2 have not internet access.

This is HUB1 running-config:

HUB_1#show run

Building configuration...

Current configuration : 37921 bytes

!

! Last configuration change at 11:06:26 EEST Thu Oct 10 2019 by xxx

! NVRAM config last updated at 11:05:42 EEST Thu Oct 10 2019 by xxx

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname HUB_1

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5

!

no aaa new-model

clock timezone EET 2 0

clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00

!

ip name-server 192.168.100.10 192.168.100.11

ip domain name xxx.local

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-0000000000

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-0000000000

revocation-check none

rsakeypair TP-self-signed-0000000000

!

crypto pki certificate chain TP-self-signed-0000000000

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

!

spanning-tree extend system-id

!

username xxxx privilege 15 secret 5

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxx address 0.0.0.0

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile Cisco_xxx

set transform-set ESP_AES256_SHA

!

interface Tunnel0

description "Internet Tunnel"

bandwidth 15000

ip address 172.30.2.200 255.255.255.0

no ip redirects

ip mtu 1400

no ip split-horizon eigrp 100

ip nhrp authentication DMVPN_WW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1300

delay 1000

tunnel source GigabitEthernet0/0/0.486

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Cisco_xxx

!

interface Tunnel1

description "Private LAN Tunnel"

bandwidth 20000

ip address 172.30.1.200 255.255.255.0

no ip redirects

ip mtu 1400

no ip split-horizon eigrp 100

ip nhrp authentication DMVPN_WW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1300

ip policy route-map ROUTE_THROUGH_ASA

delay 1000

tunnel source GigabitEthernet0/0/0.141

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Cisco_xxx

!

interface GigabitEthernet0/0/0

no ip address

negotiation auto

no cdp enable

!

interface GigabitEthernet0/0/0.141

description " network 141"

encapsulation dot1Q 141

ip address private IP address for tunnel for VPN office 1 255.255.255.0

!

interface GigabitEthernet0/0/0.486

encapsulation dot1Q 486

ip address public IP address office 3 for VPN tunnel 255.255.255.248

!

interface GigabitEthernet0/0/1

ip address public IP address for LAN ( uses for NAT Cisco ASA) 255.255.255.252

negotiation auto

ip virtual-reassembly

!

interface GigabitEthernet0/0/2

no ip address

negotiation auto

!

interface GigabitEthernet0/0/2.9

description telepresense

encapsulation dot1Q 9

ip address 192.168.11.2 255.255.255.0

standby 1 ip 192.168.11.1

!

interface GigabitEthernet0/0/2.200

encapsulation dot1Q 200 native

ip address 192.168.200.1 255.255.255.0

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

interface Vlan1

no ip address

shutdown

!

router eigrp 100

network 10.0.0.0 0.0.3.255

network 10.10.100.0 0.0.0.255

network 172.30.1.0 0.0.0.255

network 172.30.2.0 0.0.0.255

network 192.168.11.0

network 192.168.200.0

redistribute static route-map STATIC_TO_EIGRP100

passive-interface default

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface GigabitEthernet0/0/2.200

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0/0/0

ip route 0.0.0.0 0.0.0.0 public IP address

ip route 10.0.0.0 255.255.252.0 192.168.200.2

ip route 10.1.200.0 255.255.255.0 192.168.200.2

ip route 10.10.10.0 255.255.255.0 192.168.200.2

ip route 10.10.100.0 255.255.255.0 192.168.200.2

ip route 10.20.200.0 255.255.255.0 192.168.200.2

ip route 10.30.14.22 255.255.255.255 192.168.200.2

ip route 10.141.0.0 255.255.0.0 10.141.2.1

ip route 172.16.1.10 255.255.255.255 192.168.200.2

ip route 172.16.141.0 255.255.255.240 192.168.200.2

ip route 172.17.2.0 255.255.255.0 192.168.200.2

ip route 192.168.0.21 255.255.255.255 192.168.200.2

ip route 192.168.64.0 255.255.255.0 192.168.200.2

ip route 192.168.95.0 255.255.255.0 192.168.200.2

ip route 192.168.96.0 255.255.240.0 192.168.200.2

ip route 192.168.129.55 255.255.255.255 192.168.200.2

ip route 192.168.255.0 255.255.255.0 192.168.200.4

ip route public IP address 255.255.255.224 public IP address

!

ip access-list standard STATIC_ROUTES

permit 10.30.14.22

permit 192.168.0.21

permit 172.16.1.10

remark "Terminal Server"

permit 192.168.129.55

remark "Static routes redistributed in EIGRP 100"

permit 192.168.96.0 0.0.15.255

permit 172.16.141.0 0.0.0.15

permit 10.10.10.0 0.0.0.255

permit 192.168.64.0 0.0.0.255

permit 10.1.200.0 0.0.0.255

remark "Avaya IP Phone network"

permit 192.168.42.0 0.0.0.255

remark "Route to DMZ network"

permit 172.17.2.0 0.0.0.255

remark " users 1 network"

permit 10.20.200.0 0.0.0.255

permit 10.10.100.0 0.0.0.255

remark "Voice"

permit 10.0.0.0 0.0.3.255

!

ip access-list extended SOURCE_ROUTING

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.202.0 0.0.0.255 any

permit ip 192.168.203.0 0.0.0.255 any

permit ip 192.168.204.0 0.0.0.255 any

permit ip 192.168.208.0 0.0.0.255 any

permit ip 192.168.209.0 0.0.0.255 any

permit ip 192.168.210.0 0.0.0.255 any

permit ip 192.168.211.0 0.0.0.255 any

permit ip 192.168.212.0 0.0.0.255 any

permit ip 192.168.213.0 0.0.0.255 any

permit ip 192.168.214.0 0.0.0.255 any

permit ip 192.168.215.0 0.0.0.255 any

permit ip 192.168.216.0 0.0.0.255 any

permit ip 192.168.217.0 0.0.0.255 any

permit ip 192.168.218.0 0.0.0.255 any

permit ip 192.168.219.0 0.0.0.255 any

permit ip 192.168.220.0 0.0.0.255 any

permit ip 192.168.221.0 0.0.0.255 any

permit ip 192.168.222.0 0.0.0.255 any

permit ip 192.168.223.0 0.0.0.255 any

permit ip 192.168.224.0 0.0.0.255 any

permit ip 192.168.225.0 0.0.0.255 any

permit ip 192.168.226.0 0.0.0.255 any

permit ip 192.168.227.0 0.0.0.255 any

!

logging host 192.168.96.254

access-list 1 remark "SNMP allowed"

access-list 1 permit 192.168.96.254

access-list 110 permit ip any any

access-list 110 permit ip any public IP address 0.0.0.31

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny ip 192.168.0.0 0.0.255.255 any

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

access-list 110 deny ip host 0.0.0.0 any

access-list 110 deny ip any any log

!

route-map ROUTE_THROUGH_ASA permit 1

match ip address SOURCE_ROUTING

set ip next-hop 192.168.200.2

!

route-map NAT permit 10

match ip address 180

!

route-map STATIC_TO_EIGRP100 permit 10

match ip address STATIC_ROUTES

!

snmp-server community DCOMM RO 1

!

control-plane

!

line con 0

login local

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 480 0

privilege level 15

logging synchronous

login local

transport input ssh

line vty 5 15

privilege level 15

login

transport input ssh

!

ntp master 4

ntp server pool.ntp.org

ntp server 80.96.120.253

!

pnp profile pnp_redirection_profile

transport http ipv4 127.0.0.1 port 80

end

VeselinAtanasov1966 · ‎10-17-2019

the solution to the problem was so easy :)))

config

ip route public addresses on cisco HUBS in office 3 /30 IP address gateway ISP office 2

ip route 0.0.0.0 0.0.0.0 172.30.2.200 ( ip address tunnel on HUB 1)

ip route 0.0.0.0 0.0.0.0 172.30.4.200 5 ( ip address tunnel on HUB 2)

the first routing is only to work VPN tunnels between office 2 and office 3

the second and third routing pass internet traffic through the tunnels and after that through Cisco ASA