07-10-2013 03:18 PM - edited 03-04-2019 08:25 PM
Hi,
good day to all,
i configured MPLS vpn for remote locations using cisco 881 at remote side and cisco 2811 on our head-office side with a ip vpn service provider.
the remote user is able to access head office network.
now the problem is he needs internet access, which i only know the way is we have allow him to use head office internet connection or another MPLS vpn tunnel with service provider for internet connection which will be a huge cost.
whcih our office reluctent to give.
now i am looking for a way to get the internet traffic out from the modem connected to his router cisco 881 and the head- office traffic to go on MPLS vpn
now the traffice flow is like
remote user-------->cisco 881------>internet modem------------------>serivce provide netowrk----------------->head office(cisco 2811)----------->Servers
Any help will be highly appriciated
Solved! Go to Solution.
07-11-2013 01:08 AM
sorry that i didn't say it clearly, you should ping 192.168.1.1 from remote user's computer only after you configure default route to internet (ip route 0.0.0.0 0.0.0.0 192.168.1.1) but not when tunnel is up.
for nat, TRY this out:
access-list 2000 deny ip any HO_net1
access-list 2000 deny ip any YOUR_HEAD_OFFICE_SUBNET2
access-list 2000 permit ip any any
interface FastEthernet4
ip nat outside
interface Vlan1
ip nat inside
ip nat inside source list 2000 interface FastEthernet4 overload
verify nat:
sh access-list
sh nat
07-10-2013 03:47 PM
It should be easy, it depends how your users access the internet. Does anyone have internet access, do you use any type of proxy server? As long as they can reach the internet gateway and they have the proper authorization to access the internet then it will be straight forward
Sent from Cisco Technical Support iPhone App
07-10-2013 05:52 PM
Hi Amjad,
thank you for the reply
may i ask how to get it done.
yes, without cisco 881, by connecting to modem they can access internet but , when we connect router and configure ip vpn then all the traffic is flowing to vpn tunnel.
please can you guide me to accomplish that.
attaching the cisco 881 config here..
modem ip is 192.168.1.1 which is gateway for cisco 881 , or if user directly connected to modem(mini internet router), then it will be users gateway.
here after connecting cisco 881 the users gateway will be 192.168.200.57
07-10-2013 06:24 PM
IMHO, i think all the traffic is flowing to vpn tunnel cause you have this configuration:
ip route 0.0.0.0 0.0.0.0 Tunnel0
normally, we would route only head office network into tunnel.
your configuration looks interesting to me. if you don't mind, can you post a show ip route result?
07-10-2013 09:19 PM
Mohammed
how do the users in the head office access the internet? do they use proxy-server?
if yes, then you have to enable the subnet of the remote office to use the proxy-server and thats it, since you already routing all the traffic from the remote office into the tunnel, routing should be good
07-11-2013 12:04 AM
Hi Thomas,
yes , you are right, because of default route to tunnel all the traffic flowing to tunnel but i tried static routes pointing the internet traffic to the modem not to tunnel
ip route 192.168.12.0 255.255.255.0 tun0
ip route 192.168.13.0 255.255.255.0 tun0
ip route 0.0.0.0 0.0.0.0 192.168.1.1 ------> this is internet modem ip address
dear amjad,
yes , at head offic all the users use proxy server for internet but i don't want the remote users to use head office internet connection. they have to get the exit from the modem only for internet, only the servers traffic should come on tunnel.
07-11-2013 12:23 AM
you may need nat after put static routes pointing the internet traffic to the modem
07-11-2013 12:29 AM
Natting will be done at modem for all the traffic coming on 192.168.1.1
can you give an example
07-11-2013 12:37 AM
try ping 192.168.1.1 from remote user's computer, if you don't get reply, you have two options now:
1. implement nat in 881's FastEthernet4 port
2. add a static route in modem to point all traffic to remote users' subnet to 881's FastEthernet4 port.
07-11-2013 12:50 AM
i am not able to ping to 192.168.1.1 after forming tunnel.
great, i have to try on that.
can you provide me the natting example..
07-11-2013 01:08 AM
sorry that i didn't say it clearly, you should ping 192.168.1.1 from remote user's computer only after you configure default route to internet (ip route 0.0.0.0 0.0.0.0 192.168.1.1) but not when tunnel is up.
for nat, TRY this out:
access-list 2000 deny ip any HO_net1
access-list 2000 deny ip any YOUR_HEAD_OFFICE_SUBNET2
access-list 2000 permit ip any any
interface FastEthernet4
ip nat outside
interface Vlan1
ip nat inside
ip nat inside source list 2000 interface FastEthernet4 overload
verify nat:
sh access-list
sh nat
07-11-2013 01:29 AM
Thank you very much Thomas...
i'll try and let you know the results..
07-11-2013 04:29 AM
Hey Thomas,
its working fine
Thankyou very much
except one thing every thing working fine
when i entered
ip nat inside source list 2000 interface FastEthernet4 overload
i got the error
%Dynamic mapping in use, cannot change
however it's working fine thankyou
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide