Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
1
Replies

Help with getting one IP to only use internet on other side of tunnel

Tony_MN
Level 1
Level 1

‎11-30-2023 04:29 PM

Hello, 

I have a couple C2900 routers that I have a tunnel working between. I do not use it for much at moment except allowing a couple devices to perform backup's over the connection. How to I make it so one device that I have a dhcp reservation to, only able to route over the tunnel and use the internet at the other end for access? Been a while since I set everything up and regrettably forgotten some of the cisco commands. It is not getting over the tunnel when I do a traceroute to 1.0.0.1. What additions are needed to the configuration, I have pulled everything out that I have tried.

I would like one IP on side A (10.0.1.251) to have to use the internet connection provided from side B.

Here is my current configuration on side A:

ShopV#show run
Building configuration...


Current configuration : 5949 bytes
!
! No configuration change since last restart
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ShopV
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 AxxxxxxxxxxxxxxxxxxxxxxxE
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.0.10.1 10.0.10.50
!
ip dhcp pool ShopV
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 1.0.0.1
!
ip dhcp pool Reservation xxxxxxxb
host 10.0.1.251 255.255.255.0
client-identifier 0100.bbbb.253d.a7
!
!
!
ip domain name xxxxx.xxx
ip ddns update method No-IP
HTTP
add http://xxxxx.xxxx.xxx.net/nic/updatehostname=<h>&
interval maximum 0 2 0 0
!
ip cef
login block-for 300 attempts 3 within 300
login delay 10
no ipv6 cef
!
multilink bundle-name authenticated
!
vty-async
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-911111180
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-911111180
revocation-check none
rsakeypair TP-self-signed-959133580
!
!
crypto pki certificate chain TP-self-signed-911111180
certificate self-signed 01
308xxxxxxx
quit
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2921/K9 sn FJC20xxxxxx
license accept end user agreement
license boot suite FoundationSuiteK9
license boot suite AdvUCSuiteK9
!
!
username xxxxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx hostname xxxxx.xxxx.xxx.net
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 10
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map MY-MAP 10 ipsec-isakmp
set peer xxxxx.xxxx.xxx.net dynamic
set transform-set MY-SET
match address VPN-TRAFFIC
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip ddns update hostname xxxxx.xxxx.xxx.net
ip ddns update No-IP
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MY-MAP
!
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip default-gateway 192.168.10.1
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip route 192.168.1.0 255.255.255.0 172.25.1.1
ip ssh port xxxx rotary 1
ip ssh version 2
!
ip access-list extended NO22
deny tcp any any eq 22
permit ip any any
ip access-list extended VPN-TRAFFIC
permit ip 10.0.1.0 0.0.0.255 172.25.1.0 0.0.1.255
permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ipv6 ioam timestamp
!
!
snmp-server community xxxxxSNMP-RO RO
snmp-server host 172.25.1.3 version 2c xxxxxSNMP-RO
access-list 101 remark -=[Define NAT Service]=-
access-list 101 deny ip 10.0.1.0 0.0.0.255 172.25.1.0 0.0.1.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 101 remark
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
password xxxxxxxx
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class NO22 in
password xxxxxxx
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
ntp server 34.1.249.133
!
end

 

Labels:
0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎11-30-2023 04:36 PM

It hard task and 50% 9t not work,

If yoh want to allow traffic from one subnet to pass through ipsec vpn to access internet you need 

Acl of vpn permit subnet to any and that make alot of issue. 

The solution is use gre tunnel and protect it by ipsec. 

Then ise pbr to redirect traffic toward tunnel 

Also you need NAT overload 

MHM

0 Helpful
Customers Also Viewed These Support Documents