04-04-2011 03:25 PM
I have 2 Cisco 871 set up to vpn in to an ASA 5510. Everything has worked even when the 871 is behind a nat.
We use these routers to send to employees home for temporary use.
The WAN ports on the 871 are configured to pick up an IP via DHCP.
Office ASA 5510 - Public IP address
WAN - Public IP
Internal - 192.168.1.0/24
|
|
Internet
|
|
Home Router
WAN - Public IP
Internal - 192.168.1.0/24
|
|
Cisco 871 picks up 192.168.1.x on WAN port from user's home router
Internal vlan1 192.168.10.x/24
The problem is - this user's home router is using the same subnet as the internal network at the office. Is there anyway to force traffic bound for 192.168.1.x to go over the VPN tunnel? It does this correctly if the 871's WAN port is not also on the same subnet. The vpn tunnel does come up. And I can ping to and from the router, it's just the clients behind the 871 that cannot ping or access the corp network.
Hopefully this made sense.... I hope someone can help me out.
Thanks
-Troy
04-05-2011 03:54 AM
Troy - it's just blind bad luck that you have chosen to use the most popular IP subnet from the private address range. Sadly so do all the home router providers......
From the routers point of view you could try PBR for the local subnet going to the 192.168.10.0/24 and give it a next hop IP of the remote end of the VPN tunnel....however this will only work if the clients on the home network have the router as the default gateway.
however I belive the 871 has a 4 port switch in it? So just have the user connect their machine directly into it?
If I understand your issue correctly.
HTH>
04-05-2011 07:22 AM
Thanks for the reply Andrew.
Yes the 871 does have a 4 port switch - and that is where we are plugging into. We have an IP phone and a laptop plugged into the switch on the 871. Those devices pick up an IP from the 871 in the 192.168.10.0/24 range. But it still isn't working.
I'll look into PBR. Right now there is an ACL that allows traffic to the 192.168.1.0/24 over the VPN. But the 871 is picking up the default gateway route from the home router that is 192.168.1.1 and sending traffic out that way instead of over the VPN.
-Troy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide