cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

313
Views
0
Helpful
9
Replies
Highlighted
Beginner

877 Router VPN Tunneling

Hi, I'm trying to use one 877 router as an ADSL gateway, just supplying a WAN connection to a backend 877 router that needs to speak to my ISR back at HQ in order to form a VPN tunnel. Normally we have these directly connected but I need to have a separate guest network to allow guest access to the internet whilst keeping my segregate corporate VPN isolated. I've tried setting up NAT on the gateway, assigning a public IP to the internal IP of the backend router and then using vlan2 on FE0 on both routers to try and route between them and allow the ISR to talk to the backend 877 but it doesn't seem to be working. I can see matches on the gateway 877's firewall rules so it's trying but failing. Is what I'm trying even possible or is there a better solution for this using just one 877? Thanks, Rich
Everyone's tags (6)
9 REPLIES 9
VIP Mentor

Re: 877 Router VPN Tunneling

Hello,

 

have you set up a slit tunnel access list ? Can you post the configuration of your routers (you have 2 877s and 1 ISR) ?

Hall of Fame Master

Re: 877 Router VPN Tunneling

Rich

 

There is not quite enough detail here for us to understand the problem or to give you good advice. Can you clarify some things? Does the vpn terminate on the front (Internet facing) 877 or on the back (private) 877? What kind of vpn is it? (just IPSEC, GRE with IPSEC, VTI? Can you verify if there is IP connectivity between the peer address of the ISR and the peer address of the 877? Can you post the crypto configuration of both routers?

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Beginner

Re: 877 Router VPN Tunneling

Hi,

 

Configs are attached as requested.

 

There is IP connectivity over the internet between the two ISRs, one at each of our HQ sites and the gateway 877. We're using IPSEC with VTI.

 

Thanks,


Rich

Beginner

Re: 877 Router VPN Tunneling

Hi,

 

I didn't consider using split tunnel as won't that give all of my users local internet breakout?  Also, I need to keep all of the guest users completely segregated from my corporate users.

 

I've posted the configs below, these are for the two 877s.

 

Thanks,

 

Rich

VIP Mentor

Re: 877 Router VPN Tunneling

Hello,

 

I cannot figure out your setup. None of your routers has any NAT enabled interfaces...? But there is a static NAT statement in your 'gateway' router ?

 

Can you post a brief schematic drawing so that we can see what is connected to what ?

Beginner

Re: 877 Router VPN Tunneling

Oh of course I miss that! I'll post updated configs and a schematic when I'm back in the office on Monday.

 

If it helps, Dialer1 on the gateway router would be NAT outside and VLAN1 would be NAT inside.

 

Sorry I'm not making more sense, I'm primarily a server guy :D

Hall of Fame Master

Re: 877 Router VPN Tunneling

Rich

 

Thanks for the additional information. It is good to see the configs but since they seem to be incomplete it is hard to know what is really going on. And since you have used x.x.x.x for both tunnels for both source address and destination address it is hard to know what is going on - and is a bit odd since you left the public IPs in the isakmp key commands. So we can  probably guess that these are the destination address. So what is the source address of each tunnel?

 

I see that both routers in the OSPF section have network statements for the subnets of both tunnels and for the local lan. And also do redistribute connected. I am a bit concerned that this will result in the tunnel source interface being advertised through the ospf to the remote peer which would seem that it might create problems with recursive routing.

 

On both routers would you post output of these commands

show ip ospf 

show ip ospf interface

show ip ospf neighbor

show ip route

 

Also it would be helpful to see at least the crypto parts of the ISR routers.

 

HTH

 

Rick

 

[edit] Also I notice that neither of the routers has a configured default route. Are they learning a default route via ospf? or what?

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Beginner

Re: 877 Router VPN Tunneling

That's what happens when you try to do multiple things at once in a busy
office and don't concentrate on redacting critical details from a config! I
can't really give the actual, unedited configs but I'll change them to make
more sense once I'm back in the office next week.
Hall of Fame Master

Re: 877 Router VPN Tunneling

Rich

 

I understand the need to protect sensitive information. But giving addresses as x.x.x.x makes it extremely challenging to try to understand what is going on. We need to be able to assess some things about the address, such as is the address the address of a local interface, or if there are access list entries is there an entry about this address, or if there is routing information does that information relate to that address, or do the references to the address in this config match to references in other configs (especially to be sure that the configs of both peers use the same addresses in complementary ways). One suggestion might be to post addresses changing the digits in one of the octets, so that the posted addresses do not point at you - and to state clearly in posting the config that the addresses have been altered.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here