04-30-2013 11:20 AM - edited 03-04-2019 07:46 PM
Hi,
My requirment is Clients from site A should access the Internet from site B (B will be providing internet to site A), So
I have configured Ipsec vpn tunnel beetween two routers (from site A to site B) over untrusted internet connection by cisco 3825 routers and i can successfully access both of this routers.
I have configured a client machine in site A and configured gateway of this client is 10.1.11.254 but dont have internet there.
The Architecture of our both site routers :
Site A 10.1.11.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B 10.4.11.0
Router B:
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.18.12.1
!
!
crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac
!
crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao 10 ipsec-isakmp
set peer 172.18.12.1
set transform-set jaikalima
match address 102
reverse-route
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address 172.18.12.2 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao
!
interface GigabitEthernet0/1
ip address 10.4.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
router rip
version 2
network 10.0.0.0
network 61.0.0.0
!
ip default-gateway 172.18.12.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 172.18.12.x
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
!
access-list 100 deny ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 100 permit ip 10.4.11.0 0.0.0.255 any
access-list 100 permit ip 10.1.11.0 0.0.0.255 any
access-list 101 permit ip 10.1.11.0 0.0.0.255 any
access-list 102 permit ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255
!
!
!
!
route-map VPNPolicy permit 10
match ip address 101
set ip next-hop 192.168.10.1
!
Router A :
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.18.12.2
!
!
crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac
!
crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao 10 ipsec-isakmp
set peer 172.18.12.2
set transform-set jaikalima
match address 102
reverse-route
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.18.12.2 255.255.255.224
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao
!
interface GigabitEthernet0/1
ip address 10.1.11.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
ip default-gateway 172.18.12.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 172.18.12.x
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
!
access-list 102 permit ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255
access-list 102 permit ip any any
!
!
!
!
route-map nonet permit 10
match ip address 150
Actually I need to solve this problem as soon as possible.
Waiting for you quick reply.
04-30-2013 11:50 AM
you just need to add two routes and remove all the athers
on router 1 add : ip route 10.4.11.0 255.255.255.0 172.18.12.2 (for VPN)
ip route 0.0.0.0 0.0.0.0 interface connecting intenet
and on router 2 add : ip route 10.1.11.0 255.255.255.0 172.18.12.1 (for VPN)
ip route 0.0.0.0 0.0.0.0 interface connecting intenet
05-08-2013 04:40 AM
Hi Vishal ,
Thanks for your replay .
But I am little bit confused as I mentioned router B's configuration first in my question.
Do you mean "router 1" as "router A" or "router B" ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide