Solved: site2site vpn + local internet breakout on 861

Martinus P. J. Moerman · ‎04-19-2013

Hi,

I have setup a vpn between two sites with two cisco 861 routers.

That works.

Now one of the sites wants to use that 861 also to go to internet.

I thought just configure

ip nat inside

ip nat outside

access list 1

and all should work...

But not.

What am i doing wrong ?

The local network is 192.168.120.x / 24

the config

#sh run

Building configuration...

Current configuration : 3917 bytes

!

! Last configuration change at 17:35:30 UTC Mon Jan 2 2006 by admin

! NVRAM config last updated at 12:28:22 UTC Mon Jan 2 2006 by admin

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname blabla

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1105714830

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1105714830

revocation-check none

rsakeypair TP-self-signed-1105714830

!

crypto pki certificate chain TP-self-signed-1105714830

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31313035 37313438 3330301E 170D3036 30313032 31323030

34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31303537

31343833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B9BC 5F65D961 3BDBAD30 C68D26CC A76CFF28 C6DE12A4 347DFF47 221D2B5F

4F65CFDC 0CC170FB B30BC358 2A76995A F453E842 E337D74F 0B028926 D123EC3A

D0AF04AA 2AE772E4 A0B24D5E 532BEA0C 9211F753 FC192FBC 8212A8E1 2BF57B87

85BAC889 FD5BFEA9 AB273D51 7968297C 58BD4E60 26329D6A A6DC1A1D 77112080

32390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E8F842 F9173B5E 27676BD9 20410501 B3D17620 C2301D06

03551D0E 04160414 E8F842F9 173B5E27 676BD920 410501B3 D17620C2 300D0609

2A864886 F70D0101 05050003 818100A7 591C255F 9514672C 66EABFD8 080CC11F

4964BFEF 48C5BB7F 3CA216AD B70EC44F F72958E3 7414B679 2A0401A0 1C502489

47E00093 43FA4C55 BE0612EF FE965E2E C1F48AAA 7EC1C89C C84104A2 C6AFDCF7

F7AFD743 B06D9DAC 8194F6CC 24DBB481 9D5A181A BEA68557 C841018E A71CBE8B

59C2B6A2 63272C2E 8D93973D 1DC6E2

quit

ip source-route

!

ip cef

no ip domain lookup

ip domain name blabla.com

!

license udi pid CISCO861-K9 sn FGL165123TK

!

username admin

!

crypto isakmp policy 1

encr aes 192

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxx address 212.201.x.x

!

crypto ipsec transform-set ID-SET esp-aes esp-sha-hmac

!

crypto map RTD01_ID01 10 ipsec-isakmp

set peer 212.201.x.x

set transform-set ID-SET

set pfs group2

match address 101

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 110.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map RTD01_ID01

!

interface Vlan1

description 120 network

ip address 192.168.120.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan100

ip address 192.168.121.1 255.255.255.0

ip virtual-reassembly in

!

interface Vlan121

no ip address

!

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 110.x.x.161

!

access-list 1 permit 192.168.120.0 0.0.0.255

access-list 23 permit 213.125.234.242

access-list 23 permit 83.81.105.169

access-list 101 permit ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255

no cdp run

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport preferred ssh

transport input ssh

!

end

cadet alain · ‎04-22-2013

Hi,

no access-list 100

access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 deny ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.120.0 0.0.0.255 any

access-list 100 permit ip 192.168.121.0 0.0.0.255 any

no ip nat inside source list 100 interface Vlan1 overload

ip nat inside source list 100 interface fa4

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-19-2013

Hi,

access-list 100 deny ip 192.168.120.0 0.0.0.255 x.x.x.x x.x.x.x where x.x.x.x is the destination private subnet and subnet mask for the remote VPN

access-list 100 permit ip 192.168.120.0 0.0.0.255

ip nat inside source list 100 interface f4

do the same on the other router too and it will work.

Regards

Alain

Don't forget to rate helpful posts.

Martinus P. J. Moerman · ‎04-19-2013

Thnx, will try it on monday..

Will let you know the feedback.

Martin

Martinus P. J. Moerman · ‎04-22-2013

Hi, shoud the last line not be

ip nat inside source list 100 interface vlan1

and the line

access-list 100 permit ip 192.168.120.0 0.0.0.255

is missing info..

cadet alain · ‎04-22-2013

Hi,

you're correct there is something missing in the ACL

this line:

access-list 100 permit ip 192.168.120.0 0.0.0.255

should be:

access-list 100 permit ip 192.168.120.0 0.0.0.255 any

Regards

Alain

Don't forget to rate helpful posts.

Martinus P. J. Moerman · ‎04-22-2013

I did it already, but sorry still doesnt work.

So recap.

I still want to do site2site VPN, and want this 861 also to be used as nat router for internet so that pc's behind it can browse on internet.

the config now.

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 110.x.x.163 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map RTD01_ID01

!

interface Vlan1

description 120 network

ip address 192.168.120.1 255.255.255.0

interface Vlan1

description 120 network

ip address 192.168.120.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan100

ip address 192.168.121.1 255.255.255.0

ip virtual-reassembly in

!

interface Vlan121

no ip address

!

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 100 interface Vlan1 overload

ip route 0.0.0.0 0.0.0.0 110.x.x.161

!

access-list 23 permit 213.125.234.242

access-list 23 permit 83.81.105.169

access-list 100 permit ip 192.168.120.0 0.0.0.255 any

access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255

no cdp run

Still pointers ?

Martin

cadet alain · ‎04-22-2013

Hi,

no access-list 100

access-list 100 deny ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 deny ip 192.168.121.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.120.0 0.0.0.255 any

access-list 100 permit ip 192.168.121.0 0.0.0.255 any

no ip nat inside source list 100 interface Vlan1 overload

ip nat inside source list 100 interface fa4

Regards

Alain

Don't forget to rate helpful posts.

Martinus P. J. Moerman · ‎04-22-2013

thnx it works

Martin