Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1061
Views
0
Helpful
4
Replies

VPN source and termination on one interface

Euan McGregor
Level 4
Level 4

‎04-12-2012 02:48 PM

Hi there, I have done quite a lot of searching on this and I don't think it will actually work but I would rather ask the question than spend the next 3 days trying to make it work.

I have a Cisco 1841 router that I am trying to connect using a site-to-site VPN. My question is can the source traffic and the VPN be terminated on the same router interface e.g. fa0/0?

Thanks

Labels:
0 Helpful
4 Replies 4

Javier Portuguez
Level 9
Level 9

‎04-12-2012 06:06 PM

Dear Euan,

Yes, this is possible, for certain traffic though.

For instance when you need the Router to be able to ping a remote network thru the tunnel, then you could include the Router's outside IP to the encryption and that will do it.

Please let me know if this helps.

Thanks,

0 Helpful

Euan McGregor
Level 4
Level 4
In response to Javier Portuguez

‎04-13-2012 02:06 AM

Hi Javier,

Thanks for your reply. VPNs are not my strong point so I am learning as I go here!

Correct me if I am wrong here as I understand it the router needs to see traffic from a network going to a specified network in order for that to be encrypted and sent via the tunnel.

Therefore do I need to tell the router that the interface for the VPN is e.g. fa0/0 and the source for the traffic is the same interface. I do not quite understand how I can tell the router the external IP address for encryption.

Thanks

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Euan McGregor

‎04-13-2012 05:25 AM

Dear Euan,

ip access-list extemded outside_map_1

permit ip host 1.1.1.1 192.168.10.0 0.0.0.255 ----> This line includes the outside interface IP in the encryption domain.

!

crypto map outside_map 10

     match address  outside_map_1

!

interface f0/0

ip address 1.1.1.1 255.255.255.252

crypto map outside_map ------> This command defines this interface as an encryption point.

!

Please let me know if this makes any sense to you.

Thanks.

0 Helpful

Euan McGregor
Level 4
Level 4
In response to Javier Portuguez

‎04-13-2012 06:15 AM

Hi Javier,

Yes that makes perfect sense to me. Thank you.

My misunderstanding is that the fa0/0 is not a public facing interface it is sitting on the LAN behind another router. I have attached a network diagram.

Any client on the 192.168.2.x range that wishes to communicate to the 192.168.1.x range will forward the packets to the 1841 (its default gateway), my understanding is that the router will then see those packets destined for that network and encrypt them and forward them to an Internet routable address via its default gateway to the Internet to the other VPN peer.

I appologise for my lack of understanding and apprcaite your patience and help.

Any advice is appreciated.

Regards,

Euan

0 Helpful
Customers Also Viewed These Support Documents