cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2106
Views
0
Helpful
5
Replies

Routing some internet destined traffic across site-to-site vpn

adambooth
Level 1
Level 1

Hi there,

 

I'm struggling a bit with a VPN configuration.

 

At site 1, I have a Cisco 897, with 2 connections, Long Range Wireless on GigabitEthernet8, and DSL on the internal VDSL controller. Both connections have a static IP address.

This Routers IP address is 10.10.1.1

 

At site 2, I have a Cisco 891F, also with 2 connections, FTTP on GigabitEthernet8, and a Cellular connection on FastEthernet0. Both connections have dynamic IP addresses. Sometimes the cellular connection is a nat connection, sometimes it is an internet routable IP – this doesn't seem to make much difference to anything. The FastEthernet0 interface has IP address 10.10.11.100 – I mention this because it appears in some of the crypto information screens on the router of site 1.

This Routers IP address is 10.10.10.1

 

Site 2 always initiates the connection, both sites have failover, and the VPN connection works with every combination of connections, but the preferred is Long Range Wireless at Site 1, and Fibre at Site 2.

 

The site-to-site part of the VPN works perfectly, and both networks can communicate with each other seamlessly. The connection also re-establishes itself well in the event of a disconnection.

 

I would now like to route specific data from Site 1, to always use the outbound internet connection of Site 2. This is because IP Restrictions are in place, which mean only Site 2's IP address can access.

 

I've tried a few things, adding to the access-list for the crypto map, static routes, and modifying the access-lists for the 2 primary connections at site 1 to deny traffic over its local connections to try to force the data over the VPN. I always get either the data going over the local connection, or (I think) being dropped by the local router, and going nowhere.

 

I've come to the conclusion that my approach mustn't be right! Any help would be much appreciated, and happy to post bits of the configs as required – if you let me know the pertinent parts.

 

Thanks in advance

 

Adam Booth

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Adam

 

There are parts of your explanation that I am not clear about. I understand that you have site1 and site2 and have a site to site vpn between the sites. This vpn allows site1 devices to access resources in the Lan of site2 (and allows devices at site2 to access resources at site1). Am I correct in assuming that this is a traditional GRE with IPSEC tunnel that uses a crypto map and not a VTI tunnel? This might have some impact on how we implement a solution.

 

I think you are saying that there is some resource in the Internet (not in the networks of either site1 or site2) and you want that devices at site1 will not use their Internet access for this but would go over the site to site vpn and then use the Internet access from site2. If this is not correct please provide clarification.

 

There are a couple of things that you need to do to get this to work.

- you will need to modify the access list used for the crypto map on both sites. You will need for the access list to permit traffic whose source address is the network at site1 and whose destination address is this special Internet resource.

- I would think that your current routing should send this traffic over the vpn but there is some possibility that you might need a static route at site1 to make sure that the traffic is forwarded to the vpn peer at site2.

- you will need to modify the address translation at site2 so that it will translate this special traffic from the site1 network.

HTH

Rick

adambooth
Level 1
Level 1

Hi Rick,

 

Para 1 assumptions are all correct site 1 can access everything at site 2, and vice versa. I avoided a technical explanation of the VPN solution because I'm not entirely sure. There seem to be a number of ways to achieve a site-to-site, but I think what you're saying is correct – I'm pretty sure as you say its IPSEC over GRE – it uses port 500, and I have no virtual/logical interfaces on either router for the VPN endpoints.

 

Para 2, also spot on.

 

Para 3 onwards. I think this is what I've tried. I added (as a test) 216.58.210.35 – to site 1:

ip access-list extended ERICEIRA-VPN
permit ip 10.10.1.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 host 216.58.210.35

 

and site 2:

ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip host 216.58.210.35 10.10.1.0 0.0.0.255

 

If i check the ruleset with show crypto ruleset i see this, not sure if its relevant / bad...I assume this should say Encrypt for the traffic to 216.58.210.35? But I'm not familiar enough to know what drives the entries in there

 

 IP 10.10.1.0/24 10.10.10.0/24 Discard/notify, Encrypt
IP 10.10.1.0/24 10.10.10.0/24 Discard/notify, Discard
IP 10.10.1.0/24 216.58.210.35 Discard/notify, Discard

 

Doing this followed by a clear crypto sa (to re-establish the tunnel) and pinging that IP from site 1, I'm 99% sure from the response time its still going out over the local connection.

 

I have also tried with a static route at site 1:

ip route 216.58.210.35 255.255.255.255 10.10.10.1

 

Again, I'm 99% sure this is still going over the site 1 local connection.

 

As a last ditch, I added to acl 101 and 102 which are for the LR Wireless and DSL respectively at site 1:

access-list 101 deny ip 10.10.1.0 0.0.0.255 host 216.58.210.35
access-list 102 deny ip 10.10.1.0 0.0.0.255 host 216.58.210.35

 

after this, I receive no response at all to the pings.

 

The only thing I haven't tried is the custom NAT rules at site 2, however, this is the rule currently in place at site 2 – so I wasn't sure anything else was required:

access-list 100 deny   ip 10.10.0.0 0.0.255.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.255.255 any

 

Hopefully this gives some more detail!

 

Thanks for your assistance,

 

Adam

Adam

 

Thanks for the additional information. As a next step would you attempt the ping from site1 and immediately on both routers use the command show crypto ipsec sa and post the output.

HTH

Rick

Attached

 

aa.aa.aa.aa = site 2 internet address (primary connection)

bb.bb.bb.bb = site 1 secondary connection

cc.cc.cc.cc = site 1 primary connection

 

Thanks

 

Adam

Morning, Rick,

 

2 files attached.

 

aa.aa.aa.aa = site 2 internet address (primary, dynamic ip)

bb.bb.bb.bb = site 1 internet address (secondary, static ip)

cc.cc.cc.cc = site 1 internet address (primary, static ip)

 

Adam