05-10-2013 04:31 PM - edited 02-21-2020 06:53 PM
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.
05-10-2013 04:46 PM
To give a specific configuration we would have to see your current configurations.
Its impossible to give a specific configuration when we dont know your device, its software level and the existing NAT configurations etc.
- Jouni
05-10-2013 06:24 PM
Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
!
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
!
!
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
!
!
!
interface Loopback1
ip address 10.10.200.1 255.255.255.0
!
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 113.113.1.2
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255
05-10-2013 06:26 PM
Hi,
I think the text you refer to might be about Cisco ASA NAT configurations and not Cisco IOS Routers
You could take a look at this post on a different site which seems to lab the setup you are trying to implement
http://www.packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/
- Jouni
05-10-2013 06:51 PM
JouniForss ,thank you , you give me the best answer , I have searched on the website and tested on my router time and again but still failed , now I know the that only ASA can reach this goal . Thank you for giving me the post link for reference.
BR,
zi
05-10-2013 07:02 PM
Hi,
Seems to me that the link i gave could be applied to your situation since it uses IOS Routers
Personally i have tested this only with ASAs so that is why only provided a link to guide.
If you have indeed found the information helpfull you can always rate the answer.
For me to be able to give you an configuration i would have to lab this first at some point
- Jouni
05-10-2013 07:39 PM
Thank you very much , I think the first I need to do is just get the thread clear and then try and test on the router . Good idea for me by your mention.
BR,
zi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide