Solved: Re: Internet-access and VPN on remote site ?

Fraser Reid · ‎01-19-2006

Hi All !

I have a remote site that would like to use thier own internet connection to access the internet. Just at this moment I am using thier Gateway router to send all thier data over a IPSec tunnel to us (Cisco 831) it connects to a 2600 in HQ. is it possible to have a slit on the remote site so that surfers IP packets are sent directly to internet and private IP's all to the IPSec VPN ?

Do I need to get more/different HW or just a config change ?

I have checked Cisco.com but just found GRE tunnels where both the tunnel AND outside interface have the Crypto Map.......

spremkumar · ‎01-19-2006

hi

Can you revert the mode of connectivity to the outside world ??

Also can you confirm whether you are using any device behind this router coz your local lan Network is configured for only 2 configurable/usable ips which belongs to /30 mask..

with this kinda setup you need to enable natting which will do the trick for you..

just incorporate the below commands to your config ..

interface Ethernet0/0

ip nat outside

!

interface Ethernet0/1

ip nat inside

!

ip nat inside source-list 1 interface ethernet 0/0 overload

!

access-list 1 permit 172.16.222.44 0.0.0.3

regds

View solution in original post

spremkumar · ‎01-19-2006

Hi

Using default route you can route the traffic to the interface or next hop ip mentioned in the route statement,but i feel we need more inputs on your current routing setup.

And also the interesting traffic which you mention up using the ACL which is required to be set under the ipsec policiy.

do post out your config with public ips/password masked so that we can key in with our suggestions to take care of the routing part..

regds

Fraser Reid · ‎01-19-2006

Here is the current config....really simple

So with the Crypto map applied to the WAN interface how do I get traffic routed locally to the Internet ?

Thanks for your help !

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 27000

crypto isakmp key xxx address 194.x.x.142

crypto isakmp keepalive 30

!

crypto ipsec security-association lifetime seconds 27000

!

crypto ipsec transform-set security esp-3des esp-sha-hmac

!

crypto map secure 10 ipsec-isakmp

set peer 194.25.28.142

set transform-set security

match address 110

!

call rsvp-sync

!

interface Ethernet0/0

description WAN-INTERNET

ip address 213.x.x.x.x.255.252

full-duplex

crypto map secure

!

interface Ethernet0/1

description LAN

ip address 172.16.222.45 255.255.255.252

no keepalive

half-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 213.99.99.1

ip route 213.x.x.x.255.255.255 Ethernet0/0

spremkumar · ‎01-19-2006

hi

Can you revert the mode of connectivity to the outside world ??

Also can you confirm whether you are using any device behind this router coz your local lan Network is configured for only 2 configurable/usable ips which belongs to /30 mask..

with this kinda setup you need to enable natting which will do the trick for you..

just incorporate the below commands to your config ..

interface Ethernet0/0

ip nat outside

!

interface Ethernet0/1

ip nat inside

!

ip nat inside source-list 1 interface ethernet 0/0 overload

!

access-list 1 permit 172.16.222.44 0.0.0.3

regds

Fraser Reid · ‎01-19-2006

Hi !

So ,

There are only PC's behind the LAN connection....

no more routers.

All I need do is use NAT and the ACL , then this would then allow IPSec to HQ and internet access or do I misunderstand what u r saying ?

spremkumar · ‎01-19-2006

Hi

This will be the altered access-list

access-list 175 deny ip 172.16.222.44 0.0.0.3 x.x.x.x y.y.y.y

access-list 175 permit ip 172.16.222.44 0.0.0.3 any

do a clear ip nat translation and give no ip nat inside source-list 1 interface ethernet 0/0 overload

then add the below config command..

ip nat inside source-list 175 interface ethernet 0/0 overload

where x.x.x.x y.y.y.y is your remote VPN location Local Network block

Do apply this and check ..

regds