cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1043
Views
22
Helpful
12
Replies

Internet access for users in remote location

Hi,

good day to all,

i configured MPLS vpn for remote locations using cisco 881 at remote side and cisco 2811 on our head-office side with a ip vpn service provider.

the remote user is able to access head office network.

now the problem is he needs internet access, which i only know the way  is we have allow him to use head office internet connection or another MPLS vpn tunnel with service provider for internet connection which will be a huge cost.

whcih our office reluctent to give.

now i am looking for a way to get the internet traffic out from the modem connected to his router cisco 881 and the head- office traffic to go on MPLS vpn

now the traffice flow is like

remote user-------->cisco 881------>internet modem------------------>serivce provide netowrk----------------->head office(cisco 2811)----------->Servers

                                        outlet internet.jpg

Any help will be highly appriciated

1 Accepted Solution

Accepted Solutions

sorry that i didn't say it clearly, you should ping 192.168.1.1 from remote user's computer only after you configure default route to internet (ip route 0.0.0.0 0.0.0.0 192.168.1.1) but not when tunnel is up.

for nat, TRY this out:

access-list 2000 deny ip any HO_net1

access-list 2000 deny ip any YOUR_HEAD_OFFICE_SUBNET2

access-list 2000 permit ip any any

interface FastEthernet4

ip nat outside

interface Vlan1

ip nat inside

ip nat inside source list 2000 interface FastEthernet4 overload

verify nat:

sh access-list

sh nat

View solution in original post

12 Replies 12

amabdelh
Level 1
Level 1

It should be easy, it depends how your users access the internet. Does anyone have internet access, do you use any type of proxy server? As long as they can reach the internet gateway and they have the proper authorization to access the internet then it will be straight forward

Sent from Cisco Technical Support iPhone App

Hi Amjad,

thank you for the reply

may i ask how to get it done.

yes, without cisco 881, by connecting to modem they can access internet but , when we connect router and configure ip vpn then all the traffic is flowing to vpn tunnel.

please can you guide me to accomplish that.

attaching the cisco 881 config here..

modem ip is 192.168.1.1 which is gateway for cisco 881 , or if user directly connected to modem(mini internet router), then it will be users gateway.

here after connecting cisco 881 the users gateway will be 192.168.200.57

IMHO, i think all the traffic is flowing to vpn tunnel cause you have this configuration:

ip route 0.0.0.0 0.0.0.0 Tunnel0

normally, we would route only head office network into tunnel.

your configuration looks interesting to me. if you don't mind, can you post a show ip route result?

Mohammed

how do the users in the head office access the internet? do they use proxy-server?

if yes, then you have to enable the subnet of the remote office to use the proxy-server and thats it, since you already routing all the traffic from the remote office into the tunnel, routing should be good

Hi Thomas,

yes , you are right, because of default route to tunnel all the traffic flowing to tunnel but i tried static routes pointing the internet traffic to the modem not to tunnel

ip route 192.168.12.0 255.255.255.0 tun0

ip route 192.168.13.0 255.255.255.0 tun0

ip route 0.0.0.0 0.0.0.0 192.168.1.1    ------> this is internet modem ip address

dear amjad,

yes , at head offic all the users use proxy server for internet but i don't want the remote users to use head office internet connection. they have to get the exit from the modem only for internet, only the servers traffic should come on tunnel.

you may need nat after put static routes pointing the internet traffic to the modem

Natting will be done at modem for all the traffic coming on 192.168.1.1

can you give an example

try ping 192.168.1.1 from remote user's computer, if you don't get reply, you have two options now:

1. implement nat in 881's FastEthernet4 port

2. add a static route in modem to point all traffic to remote users' subnet to 881's FastEthernet4 port.

i am not able to ping to 192.168.1.1 after forming tunnel.

great, i have to try on that.

can you provide me the natting example..

sorry that i didn't say it clearly, you should ping 192.168.1.1 from remote user's computer only after you configure default route to internet (ip route 0.0.0.0 0.0.0.0 192.168.1.1) but not when tunnel is up.

for nat, TRY this out:

access-list 2000 deny ip any HO_net1

access-list 2000 deny ip any YOUR_HEAD_OFFICE_SUBNET2

access-list 2000 permit ip any any

interface FastEthernet4

ip nat outside

interface Vlan1

ip nat inside

ip nat inside source list 2000 interface FastEthernet4 overload

verify nat:

sh access-list

sh nat

Thank you very much Thomas...

i'll try and let you know the results..

Hey Thomas,

its working fine

Thankyou very much

except one thing every thing working fine

when i entered

ip nat inside source list 2000 interface FastEthernet4 overload   

i got the error

%Dynamic mapping in use, cannot change

however it's working fine thankyou

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: