Re: Policy based routing with vpn

rodrigopuig2011 · ‎01-17-2018

hello!

i need some help... i have a vpn working between 2 sites, one of them(A) has a public fixed IP and the other one (B) has a dynamic IP address.

In the dynamic side, there is a server i need to have access from the internet. The ISP in this side is blocking all ports (that is why we are using the vpn).

My idea is to access the server, using the fixed ip to jump from there via the VPN to the server hanging in the other side.
for instace, from my home (C) using any remote access tool typing the fixed ip address(A):port, so the router in A take this traffic and send it over the vpn to the router in B, and this router redirects it to the server.

i think this can be achieved using PBR, but im not sure how.... so any ideas or clarifications would be welcome.

i hope my english is understandable, thanks !!

Georg Pauwen · ‎01-18-2018

Hello,

depending on how your VPN is set up, traffic to the Internet at both sites should be routed out locally, and traffic between your sites should go through the VPN. So once you have access to site A, you should be able to access anything on site B without any further configuration changes, provided you have set up split tunneling at both sites.

Post the configurations of both sites, that is the fastest way to solve this...

rodrigopuig2011 · ‎01-18-2018

Georg

thank you for your help !

i think the relevant parts of my configs are this :

Fixed IP Router

interface Loopback0
ip address 1xx.xx.x.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel0
ip address 1x.x.x.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication pass
ip nhrp map multicast dynamic
ip nhrp network-id 200000
ip nhrp holdtime 360
ip nhrp server-only
ip tcp adjust-mss 1360
cdp enable
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 200000
!
interface FastEthernet0/0
ip address 1xx.xx.xx.x8 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 157
network 1x.x.x.0 0.0.0.3
network 1xx.xx.x.0 0.0.0.255
network 192.168.20.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 1xx.xx.xx.x7

Dynamic IP Side

!
!
!
interface Tunnel0
ip address 1x.x.x.2 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication pass
ip nhrp map multicast 1x.xx.xx.x8
ip nhrp map 1x.x.x.1 1x.xx.xx.x8
ip nhrp network-id 200000
ip nhrp holdtime 360
ip nhrp nhs 1x.x.x.1
ip nhrp registration no-unique
no ip mroute-cache
delay 1000
cdp enable
tunnel source FastEthernet0
tunnel destination 1x.xx.xx.x8
tunnel key 200000
!
interface Loopback0
ip address 1xx.xx.xx.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface FastEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 157
network 1x.x.x.0 0.0.0.3
network 1xx.xx.xx.0 0.0.0.255
network 192.168.10.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

Georg Pauwen · ‎01-18-2018

Hello,

I have made some changes to your configurations using policy based routing. Basically, you have default routes pointing the Internet, and the policy routing sends traffic between your internal networks through the tunnel.

On the fixed IP router, you would obviously need a static NAT entry for your server, in order to access the server from the outside. Once you have access, you can 'hop' to the other side...

Fixed IP Router

interface Loopback0
ip address 1xx.xx.x.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Tunnel0
ip address 1x.x.x.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication pass
ip nhrp map multicast dynamic
ip nhrp network-id 200000
ip nhrp holdtime 360
ip nhrp server-only
ip tcp adjust-mss 1360
cdp enable
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 200000
!
interface FastEthernet0/0
ip address 1xx.xx.xx.x8 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
router eigrp 157
network 1x.x.x.0 0.0.0.3
network 1xx.xx.x.0 0.0.0.255
network 192.168.20.0
no auto-summary
!
ip nat inside source list 100 interface FastEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 any
!

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

!
route-map PBR permit 10
match ip address 101
set ip next-hop 1x.x.x.1

----------------------

Dynamic IP Side

interface Tunnel0
ip address 1x.x.x.2 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication pass
ip nhrp map multicast 1x.xx.xx.x8
ip nhrp map 1x.x.x.1 1x.xx.xx.x8
ip nhrp network-id 200000
ip nhrp holdtime 360
ip nhrp nhs 1x.x.x.1
ip nhrp registration no-unique
no ip mroute-cache
delay 1000
cdp enable
tunnel source FastEthernet0
tunnel destination 1x.xx.xx.x8
tunnel key 200000
!
interface Loopback0
ip address 1xx.xx.xx.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
router eigrp 157
network 1x.x.x.0 0.0.0.3
network 1xx.xx.xx.0 0.0.0.255
network 192.168.10.0
no auto-summary
!
ip classless
!
ip nat inside source list 100 interface FastEthernet0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp
!

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
route-map PBR permit 10
match ip address 101
set ip next-hop 1x.x.x.1

rodrigopuig2011 · ‎01-18-2018

i will apply the changes and come back with the results .... Thank you!

rodrigopuig2011 · ‎01-18-2018

i have a problem .... regarding what you said.. "On the fixed IP router, you would obviously need a static NAT entry for your server, in order to access the server from the outside. Once you have access, you can 'hop' to the other side..."
my server is not in the fixed side. it is on the dynamic side.... im just trying to use the fixed router to get there via the vpn.....

Georg Pauwen · ‎01-18-2018

Hello,

sorry for the misunderstanding. What I meant was this: on the fixed side, you need to access something, a server, or a PC, which allows you to hop to the other, dynamic side, where the server is you eventually want to get to. I don't think there is a way to directly access the server on the dynamic side without accessing a machine on the fixed side first.

Does that make sense ?

rodrigopuig2011 · ‎01-19-2018

understood...

a loopback interface maybe? or has to be an actual machine ??

im attaching an image to clarify...

Georg Pauwen · ‎01-19-2018

Hello,

as far as I can see, you need to logon to something locally, so a loopback won't work. Unless I can think of something else that automatically reroutes your traffic.

I'll get back with you, I will try and lab this...