12-27-2011 06:52 PM - edited 03-04-2019 02:45 PM
Hi everybody
how is everyone doing ?
Let say we have a small branch office say B1 and we want to connect it to company's head quarter HQ.
B1 dynamic ip address----------------vpn tunnel-------------- 199.199.199.1-HQ
Assume B1 is assigned a dynamic ip address a.a.a.a
Let say B1 uses a router with a dsl interface. B1 will use local ISP to connect to internet.
At B1 we set the destination ip for vpn tunnel as 199.199.199.1
The problem is how can we set the destination ip at HQ for vpn tunnel because B1 is assigned an ip by an isp which could change.
How can we establish vpn between two nodes when one of them is using dynamic ip address as was the case in our example?
thanks
Solved! Go to Solution.
12-27-2011 09:20 PM
Here is a document that follows that exact same requirement:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
12-28-2011 09:34 PM
The example I provided also includes a NAT configuration.
Packets that are denied from encryption are NAT'd out to the internet (they leave the router unencrypted).
Packets that match the encryption are sent via the VPN tunnel (those are not destined for the internet).
Regards,
Edison
12-27-2011 09:20 PM
Here is a document that follows that exact same requirement:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
12-28-2011 06:34 PM
Hi Edison
The link you forwarded shows a configuration on "dr_whoovie" router.
For example:
At " dr_ whoovie" the traffic that needs to be vpn-tunneled will have to be matched by crptomap rtp under S0
I have the question about the order the commands are listed under crypto map rtp which i have posted for easy reference. ( i understand regardless of the order presented below, the goal to vpn -tunnel the desired packets will be achieved)
crypto map rtp 1 ipsec-isakmp set peer 99.99.99.set transform-set rtpset match address 115
---------------------------------------
The first command instrucst to perform the action instructed by " set peer 99.99.99.1"
( that means all the packets because at this stage interesting packets have not been identified)
The second command instructs router to perform the action instructed by " set transform-set rtpset"
( again that means the above action will be performed on all packets because at this stage interesting packets have not been identified)
The third command instructs router to perform the action instructed by " match address 115"
The above command will identify the interesting packets which will be forwarded out of s0 while all the rest will be denied
Is this order of operation correct?
If it is correct what will happen to packets that have been denied ,will they be dropped? Because in my book an example demonstrates the following
Crypto map sarah 1 ipsex-isakmp
match address 115
( interesting packets are identified by above command.
Then router performs the actions instrucetd by the following command on the interesting packets, all the others at this point are sent unencrypted out of interface. Here we observed the uninteresting packets which are denied by access-list are simply forwarded out of interface wihout being vpn-tunneled.
set peer 99.99.99.1 set transform-set rtpset
If your compare this order of commands to that of one presented in the case of "dr_whoovie" ,you see the order of commands is different.
In " dr_ whoovie" the interesting traffic is identified at the end because " match address 115 "was used at the end ' the question is what will happen to the packets which are denied by access-list 15.
Will these packet simply be dropped even though router have performed all the actions instructed by "set peer 99.99.99.1, set transform-set rtpset " commands because those commands preceded " match address 115 " command?
thanks and have a evening
12-28-2011 09:34 PM
The example I provided also includes a NAT configuration.
Packets that are denied from encryption are NAT'd out to the internet (they leave the router unencrypted).
Packets that match the encryption are sent via the VPN tunnel (those are not destined for the internet).
Regards,
Edison
12-29-2011 04:42 PM
Thanks Edsion.
I was thinking something else. I got the concept and I really appreciate your help.
Have a nice weekend.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide