07-07-2011 09:58 AM
Hi everyone,
I'm trying to set up a site to site vpn tunnel over a RF connection. Site A needs to be able to use Site B internet connection out.
Site A 201.2.0.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B172.17.90.0 -----Internet connection out
Heres my VPN config, but it seem to me that Site A wouldn't be able to access the internet due to the ACL. Is that correct? How would I get clients on Site A access to the internet through Site B? Any other comments on the config are welcomed. Thanks!
******///// Router A
/////Create IKE policy
config t
crypto isakmp policy 9
hash md5
authentication pre-share
exit
/////Define Shared key and specify other side of VPN tunnel Router B
crypto isakmp key ***** address 172.18.12.1
/////Define lifetime for security association (1day)
crypto ipsec security-association lifetime seconds 86400
/////ACL to allow source traffic from Site A to desitnation Site B
access-list 150 permit ip 201.2.0.0 0.0.255.255 172.17.90.0 0.0.0.255
/////IPsec tranformation name
crypto ipsec tranform-set vpnsetname esp-3des esp-md5-hmac
/////Crypto map binding to Router B ACL
crypto map vpnmap 10 ipsec-isakmp
set peer 172.18.12.1
set transform-set vpnsetname
match address 150
/////Connect crypto map to local interface
int gi0/0
crypto vpnmap
******///// Router B
/////Create IKE policy
config t
crypto isakmp policy 9
hash md5
authentication pre-share
exit
/////Define Shared key and specify other side of VPN tunnel (Router A)
crypto isakmp key ***** address 172.18.12.2
/////Define lifetime for security association (1day)
crypto ipsec security-association lifetime seconds 86400
/////ACL to allow source traffic from Site B to Site A
access-list 150 permit ip 172.17.90.0 0.0.0.255 201.2.0.0 0.0.255.255
/////IPsec tranformation name
crypto ipsec tranform-set vpnsetname esp-3des esp-md5-hmac
/////Crypto map binding
crypto map vpnmap 10 ipsec-isakmp
set peer 172.18.12.2
set transform-set vpnsetname
match address 150
/////Connect crypto map to local interface
int gi0/0
crypto vpnmap
07-07-2011 01:36 PM
Hi,
The crypto access-lists would need to include internet traffic using the "any" keyword.
Router A
access-list 150 permit ip 201.2.0.0 0.0.255.255 any
RouterB
access-list 150 permit ip any 201.2.0.0 0.0.255.255
RouterB, if natting, will need to nat router A traffic out to the internet.
Hope this helps.
Regards,
Loren
07-08-2011 09:19 AM
Thanks for the reply.
If I put: access-list 150 permit ip any any on both router a and b would that work? I want access to the internet and certain local apps.
07-19-2011 01:22 PM
Hi,
A permit ip any any will not be a good idea because in that router B will try to send all traffic through the VPN tunnel. You should do it the way Loren has suggested.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide