Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
6
Replies

Help Please!!

omer_babiker
Level 1
Level 1

‎11-11-2012 10:36 PM - edited ‎03-11-2019 05:21 PM

Hi All,

Please consider the attached diagram.

- There is no direct connection to side 2 from PC-1.

- There is an MPLS link between side1 & side 2, and both local networks can access each other.

My question:

Can I acess 10.0.1.0/24 network (side 2) through side 1, as I can access FW1 using VPN client?

If that possible, what configuration should I do?

Your help is appreciated

Thanks                 

Labels:
0 Helpful
6 Replies 6

omer_babiker
Level 1
Level 1

‎11-11-2012 10:47 PM

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to omer_babiker

‎11-12-2012 06:07 PM

Yes you can.

If you have split tunnel configured, then just add the side 2 LAN in the split tunnel ACL.

Also, add the NAT exemption from side 2 LAN towards the VPN Client pool.

Let me know if it doesn't work, and pls share your FW configuration.

0 Helpful

omer_babiker
Level 1
Level 1
In response to Jennifer Halim

‎11-13-2012 09:24 PM

Thanks Jennifer for your helpful response as usual.

So, the config will be:

access-list NEW-Split-List standard permit 10.0.1.0 255.255.255.0

ip local pool NEW_POOL 192.168.18.1-192.168.18.15 mask 255.255.255.240

group-policy NEW internal
group-policy NEW attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NEW-Split-List
address-pools value NEW_POOL

tunnel-group NEW-TUNNEL type remote-access
tunnel-group NEW-TUNNEL general-attributes
default-group-policy NEW
tunnel-group NEW-TUNNEL ipsec-attributes
pre-shared-key *

Now; do I need to allow those IPs ( in th pool ) in the FW2-side2 or it is allowed by default?

Thanks,

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to omer_babiker

‎11-13-2012 09:37 PM

You will also need to configure NAT exemption on FW1.

Now, on FW2, depending on the security levels, you would also need to configure NAT exemption as well as access-list on the interface to allow the traffic through. Plus assuming that FW2 has default route towards the MPLS link?

0 Helpful

omer_babiker
Level 1
Level 1
In response to Jennifer Halim

‎11-13-2012 09:52 PM

Yea that makes sense to me.

On FW1; we have default route to the internet, but I'll configure static route for side2 network twards mpls link. Am I right?

On FW2: either it will be the same case as FW1 or all the trafic will be routed twards mpls link.

I'm working on the mpls link with the serive provider and it may come up by tomorrow. I'll definitely get back to you with the results.

I really appreciate your help Jennifer.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to omer_babiker

‎11-13-2012 09:58 PM

Correct, on FW1 you would need to configure static route for side 2 network towards mpls link.

On FW2, if all traffic is routed towards the mpls link, then you don't need to worry about routing. You just have to configure NAT exemption for traffic destined towards the vpn pool, and ACL accordingly.

If internet traffic is routed via local ISP, and only traffic destined towards FW1 is routed via the MPLS link then you would also need to add route for the vpn pool to route via the MPLS link towards FW1.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card