10-11-2019 01:28 AM
part of the config cisco router office 2:
interface Tunnel1
description "Internet Tunnel"
bandwidth 1000
ip address 172.30.2.226 255.255.255.0
ip mtu 1400
ip nhrp authentication XXX
ip nhrp map 172.30.2.200 public IP address office 3
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.30.2.200
ip tcp adjust-mss 1300
delay 1000
tunnel source GigabitEthernet9
tunnel destination public IP address office 3
tunnel key 100000
tunnel protection ipsec xxxxxxxx
interface GigabitEthernet9
description "To Internet "
ip address public IP address office 2
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
interface GigabitEthernet4
switchport access vlan 20
no ip address
interface Vlan20
description "Users Vlan"
ip address 192.168.226.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
router eigrp 100
network 1
network 2
network 172.30.2.0 0.0.0.255
network 192.168.226.0
passive-interface Vlan20
ip nat inside source list 100 interface GigabitEthernet9 overload
ip route 0.0.0.0 0.0.0.0 public IP address office 2
part of the config cisco router office 3:
interface Tunnel1
description "Internet Tunnel"
bandwidth 15000
ip address 172.30.2.200 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 100
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1300
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec xxxx
interface GigabitEthernet0/0/0
encapsulation dot1Q
ip address public IP address office 3
I would like to ask if it is possible and if so, how to change the configuration of the two Cisco routers in office 2 and 3 so that all traffic from office 2 to the internet goes through the tunnel. I would like office 2 users to go online from Cisco ASA in office 3.
At present, only traffic to private networks passes through the tunnel.
Solved! Go to Solution.
10-15-2019 06:22 AM
Hi
thank you for the advice!
Now I've explored traffic through Cisco ASA in office 3.
Internal address cisco ASA in office 2 is 192.168.108.2
From laptop in private lan in office 2
In Real-time log viewer on cisco asa I can view that I can successfully ping 192.168.108.2
But I cannot ping external ( public) IP address.
No any traffic go to cisco ASA from laptop when try ping to any public address.
I'm not sure internet traffic from office 2 goes through the tunnel!!!
10-15-2019 06:28 AM
Hi,
Please share the router configuration (HUB) which is seating in the Office3.
10-15-2019 06:46 AM
thank you for the advice!
Now I've explored traffic through Cisco ASA in office 3.
Internal address cisco ASA in office 2 is 192.168.108.2
From laptop in private lan in office 2
In Real-time log viewer on cisco asa I can view that I can successfully ping 192.168.108.2
But I cannot ping external ( public) IP address.
No any traffic go to cisco ASA from laptop when try ping to any public address.
I'm not sure that internet traffic goes through the tunnel!!!
10-15-2019 06:54 AM
Now I try tracert from laptop in office 2
tracert 192.168.108.2 ( internal address Cisco ASA, this address NAT ing to publlic address ASA)
1 ........... 192.168.226.1
2. ..........172.30.2.200
3. .......... 192.168.200.2
4. ........... 192.168.108.2
tracert 194.145.63.12 ( public ip address to one internet site)
1. ........ 192.168.226.1
2. 192.168.226.1 reports: Destination host unreachable
10-15-2019 08:39 AM
10-16-2019 01:28 AM
Hi
now add ip route 0.0.0.0 0.0.0.0 172.30.2.200
ping 8.8.8.8 from laptop
Request time out.
currently, users from office 1 with network 192.168.202.0/24 are connecting via private network 10.141.x.x with tunnel 1 of cisco hub, they have access to private networks and have access to the internet via cisso ASA, user from office 2 with network 192.168.226.0/24 are connecting via Internet with tunnel 0 of cisco hub, they have access to private networks but they do not have access to internet.
I see a difference between tunnel configuration> ip policy route-map ROUTE_THROUGH_ASA in tunnel 1,
for any case I add ip policy route-map ROUTE_THROUGH_ASA in tunnel 0, but the result is the same, user in office 2 have not internet access.
This is HUB1 running-config:
HUB_1#show run
Building configuration...
Current configuration : 37921 bytes
!
! Last configuration change at 11:06:26 EEST Thu Oct 10 2019 by xxx
! NVRAM config last updated at 11:05:42 EEST Thu Oct 10 2019 by xxx
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname HUB_1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5
!
no aaa new-model
clock timezone EET 2 0
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
!
ip name-server 192.168.100.10 192.168.100.11
ip domain name xxx.local
!
subscriber templating
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-0000000000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-0000000000
revocation-check none
rsakeypair TP-self-signed-0000000000
!
!
crypto pki certificate chain TP-self-signed-0000000000
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
!
spanning-tree extend system-id
!
username xxxx privilege 15 secret 5
username xxxx privilege 15 secret 5
username xxxx privilege 15 secret 5
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxx address 0.0.0.0
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile Cisco_xxx
set transform-set ESP_AES256_SHA
!
!
interface Tunnel0
description "Internet Tunnel"
bandwidth 15000
ip address 172.30.2.200 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 100
ip nhrp authentication DMVPN_WW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1300
delay 1000
tunnel source GigabitEthernet0/0/0.486
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile Cisco_xxx
!
interface Tunnel1
description "Private LAN Tunnel"
bandwidth 20000
ip address 172.30.1.200 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 100
ip nhrp authentication DMVPN_WW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1300
ip policy route-map ROUTE_THROUGH_ASA
delay 1000
tunnel source GigabitEthernet0/0/0.141
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile Cisco_xxx
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/0.141
description " network 141"
encapsulation dot1Q 141
ip address private IP address for tunnel for VPN office 1 255.255.255.0
!
interface GigabitEthernet0/0/0.486
encapsulation dot1Q 486
ip address public IP address office 3 for VPN tunnel 255.255.255.248
!
interface GigabitEthernet0/0/1
ip address public IP address for LAN ( uses for NAT Cisco ASA) 255.255.255.252
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.9
description telepresense
encapsulation dot1Q 9
ip address 192.168.11.2 255.255.255.0
standby 1 ip 192.168.11.1
!
interface GigabitEthernet0/0/2.200
encapsulation dot1Q 200 native
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
!
router eigrp 100
network 10.0.0.0 0.0.3.255
network 10.10.100.0 0.0.0.255
network 172.30.1.0 0.0.0.255
network 172.30.2.0 0.0.0.255
network 192.168.11.0
network 192.168.200.0
redistribute static route-map STATIC_TO_EIGRP100
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface GigabitEthernet0/0/2.200
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 public IP address
ip route 10.0.0.0 255.255.252.0 192.168.200.2
ip route 10.1.200.0 255.255.255.0 192.168.200.2
ip route 10.10.10.0 255.255.255.0 192.168.200.2
ip route 10.10.100.0 255.255.255.0 192.168.200.2
ip route 10.20.200.0 255.255.255.0 192.168.200.2
ip route 10.30.14.22 255.255.255.255 192.168.200.2
ip route 10.141.0.0 255.255.0.0 10.141.2.1
ip route 172.16.1.10 255.255.255.255 192.168.200.2
ip route 172.16.141.0 255.255.255.240 192.168.200.2
ip route 172.17.2.0 255.255.255.0 192.168.200.2
ip route 192.168.0.21 255.255.255.255 192.168.200.2
ip route 192.168.64.0 255.255.255.0 192.168.200.2
ip route 192.168.95.0 255.255.255.0 192.168.200.2
ip route 192.168.96.0 255.255.240.0 192.168.200.2
ip route 192.168.129.55 255.255.255.255 192.168.200.2
ip route 192.168.255.0 255.255.255.0 192.168.200.4
ip route public IP address 255.255.255.224 public IP address
!
!
ip access-list standard STATIC_ROUTES
permit 10.30.14.22
permit 192.168.0.21
permit 172.16.1.10
remark "Terminal Server"
permit 192.168.129.55
remark "Static routes redistributed in EIGRP 100"
permit 192.168.96.0 0.0.15.255
permit 172.16.141.0 0.0.0.15
permit 10.10.10.0 0.0.0.255
permit 192.168.64.0 0.0.0.255
permit 10.1.200.0 0.0.0.255
remark "Avaya IP Phone network"
permit 192.168.42.0 0.0.0.255
remark "Route to DMZ network"
permit 172.17.2.0 0.0.0.255
remark " users 1 network"
permit 10.20.200.0 0.0.0.255
permit 10.10.100.0 0.0.0.255
remark "Voice"
permit 10.0.0.0 0.0.3.255
!
ip access-list extended SOURCE_ROUTING
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.202.0 0.0.0.255 any
permit ip 192.168.203.0 0.0.0.255 any
permit ip 192.168.204.0 0.0.0.255 any
permit ip 192.168.208.0 0.0.0.255 any
permit ip 192.168.209.0 0.0.0.255 any
permit ip 192.168.210.0 0.0.0.255 any
permit ip 192.168.211.0 0.0.0.255 any
permit ip 192.168.212.0 0.0.0.255 any
permit ip 192.168.213.0 0.0.0.255 any
permit ip 192.168.214.0 0.0.0.255 any
permit ip 192.168.215.0 0.0.0.255 any
permit ip 192.168.216.0 0.0.0.255 any
permit ip 192.168.217.0 0.0.0.255 any
permit ip 192.168.218.0 0.0.0.255 any
permit ip 192.168.219.0 0.0.0.255 any
permit ip 192.168.220.0 0.0.0.255 any
permit ip 192.168.221.0 0.0.0.255 any
permit ip 192.168.222.0 0.0.0.255 any
permit ip 192.168.223.0 0.0.0.255 any
permit ip 192.168.224.0 0.0.0.255 any
permit ip 192.168.225.0 0.0.0.255 any
permit ip 192.168.226.0 0.0.0.255 any
permit ip 192.168.227.0 0.0.0.255 any
!
logging host 192.168.96.254
access-list 1 remark "SNMP allowed"
access-list 1 permit 192.168.96.254
access-list 110 permit ip any any
access-list 110 permit ip any public IP address 0.0.0.31
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip any any log
!
route-map ROUTE_THROUGH_ASA permit 1
match ip address SOURCE_ROUTING
set ip next-hop 192.168.200.2
!
route-map NAT permit 10
match ip address 180
!
route-map STATIC_TO_EIGRP100 permit 10
match ip address STATIC_ROUTES
!
snmp-server community DCOMM RO 1
!
!
control-plane
!
!
line con 0
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 480 0
privilege level 15
logging synchronous
login local
transport input ssh
line vty 5 15
privilege level 15
login
transport input ssh
!
ntp master 4
ntp server pool.ntp.org
ntp server 80.96.120.253
!
!
pnp profile pnp_redirection_profile
transport http ipv4 127.0.0.1 port 80
end
10-17-2019 12:19 AM
the solution to the problem was so easy :)))
config
ip route public addresses on cisco HUBS in office 3 /30 IP address gateway ISP office 2
ip route 0.0.0.0 0.0.0.0 172.30.2.200 ( ip address tunnel on HUB 1)
ip route 0.0.0.0 0.0.0.0 172.30.4.200 5 ( ip address tunnel on HUB 2)
the first routing is only to work VPN tunnels between office 2 and office 3
the second and third routing pass internet traffic through the tunnels and after that through Cisco ASA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide