06-05-2012 09:52 AM - edited 03-04-2019 04:34 PM
Hi All,
Thanks for a forum like this that has continued to help individuals like me in my career as a network administrator.
I am presently configuring a VPN connection between two of our offices so that we can have data/voice/video connectivity between the two sites. We want users to be able to access internet, while the vpn tunnel will be mainly for data/voice/video connectivity.
I am using Cisco 1812 for this configuration.
Attached is a 'show running configuration' from the local Router. My questions are:
1. Will the configuration shown give me the desired vpn connection as well as give users access to internet?
2. Is there a way to delegate bandwith (say 2mbps) just for internet use while the rest of the bandwidth will be for vpn data traffic?
The 'sho run' is pasted below
Router#sho run
Building configuration...
Current configuration : 2179 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$UOub$z7fLtnBI.El8lsWrFr6v/0
enable password 7 130816011F091639
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip name-server 41.198.x.y
ip name-server 41.198.x.z
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key SeCRetKey address 41.200.t.y (PUBLIC IP ADDRESS OF REMOTE ROUTER FROM ISP)
!
!
crypto ipsec transform-set MY-VPN esp-aes 256 esp-md5-hmac
!
crypto map VPN-LG 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set MY-VPN
match address VPN-TRAFFIC
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.100.100.1 255.255.255.255
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 41.198.X.Y 255.255.255.248 (PUBLIC IP ADDRESS OF LOCAL ROUTER FROM ISP)
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-LG
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.198.T.K (DEFAULT GATEWAY OF ISP)
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet1 overload (NAT FOR INTERNET ACCESS)
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 100 remark EXCLUDED FROM NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
!
!
!
!
!
!
control-plane
!
!
line con 0
password 7 00091215105E1915
login
line aux 0
line vty 0 4
password 7 082C4D5D1D1C1704
login
line vty 5 193
password 7 082C4D5D1D1C1704
login
!
end
Thanks for your help.
Tom
Solved! Go to Solution.
06-26-2012 04:15 AM
Hi Giuseppe,
Thanks once more for your precious time.
Referring to the your post above where you said
"
I would check if these servers have two default gateways configured and they are load balancing over them, with one being the correct gateway and one being a device that is not able to route over the VPN."
Only one default gateway is configured on all the systems. What more do you think could be responsible for this kind of behavior?
As to what I did to bring up the VPN tunnel. I found out that I had a static NAT statement point to a particular system that needed to be accessed from the internet, once I removed that NAT statement, my VPN came up. I will still return to it later when I am through with the Vpn configuration.
Thanks for your inputs, you helped me a lot. (Of course I'll rate you at d end of this configuration bcos i'm sure success is just by the corner). Thanks
Tom
06-26-2012 09:47 AM
Hello Tom,
mine was just a suggestion of a possible cause. It is not clearly the case.
I wonder if there are other static NAT statements that may cause problems.
However, I would suggest also to try to perform tests from a different system just to check if the behaviour changes.
What if you use extended ping on the router of one site with source address = internal LAN address and you try to ping systems on the remote internal Vlan?
Are the results the same?
You told in a previous post that a specific end system on the remote site is pingable, is it still true?
Hope to help
Giuseppe
06-21-2012 06:04 AM
Hi Giuseppe,
Thanks for your time in responding to my posts.
Any idea on how to resolve the issue above? VPN is up but having issues reaching resources in LAN. Ping to router LAN interfaces replies without breaking but ping to systems breaks.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide