Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
5
Helpful
3
Replies

Site to Site VPN with Shared internet access

Lkwoods82
Level 1
Level 1

‎07-07-2011 09:58 AM

Hi everyone,

I'm trying to set up a site to site vpn tunnel over a RF connection.  Site A needs to be able to use Site B internet connection out.

Site A  201.2.0.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B172.17.90.0 -----Internet connection out

Heres my VPN config, but it seem to me that Site A wouldn't be able to access the internet due to the ACL.  Is that correct?  How would I get clients on Site A access to the internet through Site B?  Any other comments on the config are welcomed.  Thanks!

******///// Router A

/////Create IKE policy

config t

crypto isakmp policy 9

hash md5

authentication pre-share

exit

/////Define Shared key and specify other side of VPN tunnel Router B

crypto isakmp key ***** address 172.18.12.1

/////Define lifetime for security association (1day)

crypto ipsec security-association lifetime seconds 86400

/////ACL to allow source traffic from Site A to desitnation Site B

access-list 150 permit ip 201.2.0.0 0.0.255.255 172.17.90.0 0.0.0.255

/////IPsec tranformation name

crypto ipsec tranform-set vpnsetname esp-3des esp-md5-hmac

/////Crypto map binding to Router B ACL

crypto map vpnmap 10 ipsec-isakmp

set peer 172.18.12.1

set transform-set vpnsetname

match address 150

/////Connect crypto map to local interface

int gi0/0

crypto vpnmap

******///// Router B

/////Create IKE policy

config t

crypto isakmp policy 9

hash md5

authentication pre-share

exit

/////Define Shared key and specify other side of VPN tunnel (Router A)

crypto isakmp key ***** address 172.18.12.2

/////Define lifetime for security association (1day)

crypto ipsec security-association lifetime seconds 86400

/////ACL to allow source traffic from Site B to Site A

access-list 150 permit ip 172.17.90.0 0.0.0.255 201.2.0.0 0.0.255.255

/////IPsec tranformation name

crypto ipsec tranform-set vpnsetname esp-3des esp-md5-hmac

/////Crypto map binding

crypto map vpnmap 10 ipsec-isakmp

set peer 172.18.12.2

set transform-set vpnsetname

match address 150

/////Connect crypto map to local interface

int gi0/0

crypto vpnmap

Labels:
0 Helpful
3 Replies 3

Loren Kolnes
Cisco Employee
Cisco Employee

‎07-07-2011 01:36 PM

Hi,

The crypto access-lists would need to include internet traffic using the "any" keyword.

Router A

access-list 150 permit ip 201.2.0.0 0.0.255.255 any

RouterB

access-list 150 permit ip any 201.2.0.0 0.0.255.255

RouterB, if natting, will need to nat router A traffic out to the internet.

Hope this helps.

Regards,

Loren

Lkwoods82
Level 1
Level 1
In response to Loren Kolnes

‎07-08-2011 09:19 AM

Thanks for the reply.

If I put:  access-list 150 permit ip any any   on both router a and b would that work?  I want access to the internet and certain local apps.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Lkwoods82

‎07-19-2011 01:22 PM

Hi,

A permit ip any any will not be a good idea because in that router B will try to send all traffic through the VPN tunnel. You should do it the way Loren has suggested.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents