Cisco IOS VPN RA to VPN P2P connection

Martin Marino · ‎09-05-2011

Hi folks!

I have a router that has only one nternet connection. I need to create a VPN P2P connection to other router on other site. I also need to give VPN RA access to mobile people.

The thing is that I need that people connecting from VPN RA to access LAN on the other side of the VPN P2P.

I have attached a network diagram to make it more clear: what i need is to access from 10.1.1.2 to 10.2.2.2 using the VPN RA and VPN P2P connections that the main router (the one on the top). Is this possible?

Regards,
Martin

Jennifer Halim · ‎09-05-2011

Yes, it is indeed possible.

I assume that 10.1.1.0/24 is the ip pool subnet that the VPN Client gets assigned, so here is what you would need to configure:

1) If you configure split tunnel for the RA VPN, you would need to include both 192.168.1.0/24 and 10.2.2.0/24 in your split tunnel acl.

2) Crypto ACL for the P2P VPN would need to include the following to define the interesting traffic from the vpn client pool subnet:

On Cisco IOS (HQ): crypto ACL to also include from source: 10.1.1.0/24 to destination 10.2.2.0/24

On the remote router: crypto ACL to also include from source: 10.2.2.0/24 to destination 10.1.1.0/24

3) If you configure NAT exemption on the remote router, you would also need to add NAT exemption between 10.2.2.0/24 towards 10.1.1.0/24.

Hope this helps.