05-10-2013 04:31 PM - edited 02-21-2020 06:53 PM
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.
05-10-2013 04:46 PM
To give a specific configuration we would have to see your current configurations.
Its impossible to give a specific configuration when we dont know your device, its software level and the existing NAT configurations etc.
- Jouni
05-10-2013 06:24 PM
Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
!
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
!
!
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
!
!
!
interface Loopback1
ip address 10.10.200.1 255.255.255.0
!
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 113.113.1.2
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255
05-10-2013 06:26 PM
Hi,
I think the text you refer to might be about Cisco ASA NAT configurations and not Cisco IOS Routers
You could take a look at this post on a different site which seems to lab the setup you are trying to implement
http://www.packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/
- Jouni
05-10-2013 06:51 PM
JouniForss ,thank you , you give me the best answer , I have searched on the website and tested on my router time and again but still failed , now I know the that only ASA can reach this goal . Thank you for giving me the post link for reference.
BR,
zi
05-10-2013 07:02 PM
Hi,
Seems to me that the link i gave could be applied to your situation since it uses IOS Routers
Personally i have tested this only with ASAs so that is why only provided a link to guide.
If you have indeed found the information helpfull you can always rate the answer.
For me to be able to give you an configuration i would have to lab this first at some point
- Jouni
05-10-2013 07:39 PM
Thank you very much , I think the first I need to do is just get the thread clear and then try and test on the router . Good idea for me by your mention.
BR,
zi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: