I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 18.104.22.168.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.
To give a specific configuration we would have to see your current configurations.
Its impossible to give a specific configuration when we dont know your device, its software level and the existing NAT configurations etc.
Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
ip address 10.10.200.1 255.255.255.0
ip address 22.214.171.124 255.255.255.128
ip nat outside
crypto map IPsecmap
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 126.96.36.199
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255
I think the text you refer to might be about Cisco ASA NAT configurations and not Cisco IOS Routers
You could take a look at this post on a different site which seems to lab the setup you are trying to implement
JouniForss ,thank you , you give me the best answer , I have searched on the website and tested on my router time and again but still failed , now I know the that only ASA can reach this goal . Thank you for giving me the post link for reference.
Seems to me that the link i gave could be applied to your situation since it uses IOS Routers
Personally i have tested this only with ASAs so that is why only provided a link to guide.
If you have indeed found the information helpfull you can always rate the answer.
For me to be able to give you an configuration i would have to lab this first at some point
Thank you very much , I think the first I need to do is just get the thread clear and then try and test on the router . Good idea for me by your mention.