ā07-09-2013 12:12 AM
Hi All,
I have 2 internet links one ADSL and one leased terminated on the same router. I need to configure ADSL for site to site VPN to HO ,and leased line for dedicated internet for all users.
my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Kindly find the attached Config and advice this will be correct and work fine
Thanks in Advance...
Shanil
Solved! Go to Solution.
ā07-10-2013 01:57 AM
Hi,
To me it looks like that he has configured the route correctly;
ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to internet.
ip route 10.1.0.0 255.255.255.0 Dialer1 -> for vpn traffic to HO.
The public_IP_HO should be set under the crypto map using set peer command.
What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.
The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).
HTH,
ā07-10-2013 12:25 AM
Hi,
At current configuration, traffic to the HO is directed to the FastEthernet4 interface. This is incorrect.
You have to specify static route to the branch HO over Dialer interface.
Add the route:
ip route public_IP_HO 255.255.255.255 Dialer1
After this fix it should work correctly.
________________
Best regards,
MB
ā07-10-2013 01:53 AM
Thank you
ā07-10-2013 01:57 AM
Hi,
To me it looks like that he has configured the route correctly;
ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to internet.
ip route 10.1.0.0 255.255.255.0 Dialer1 -> for vpn traffic to HO.
The public_IP_HO should be set under the crypto map using set peer command.
What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.
The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).
HTH,
ā07-10-2013 02:34 AM
Thank you Rudy.. and i think need to add route to Public ip of HO through Dialer as pointed by MB.
Shanil
ā07-10-2013 02:44 AM
Hi Shanil,
The route to the public ip of HO is included in the second ip route statement. That ip route means that all traffic destined to 10.1.0.0/24 subnet will be forwarded through dialer1 interface. You can try adding another ip route to the public ip of HO, probably the device will reject the command saying that the route already exist.
HTH,
ā07-11-2013 04:44 AM
Hi Rudy,
That means i have 2 static routes currently, one default route for internet. one for VPN subnet of HO for VPN. If i add route to public ip @HO to Dialer1 ,it will not take?
ip route 0.0.0.0 0.0.0.0 fastethernet4
ip route 10.1.0.0 255.255.255.0 Dialer1
ip rote 4.4.4.4 255.255.255.255 Dialer1 --> will it reject this route?
and route to Public ip @HO through Dialer1 is a must? otherwise VPN will not comeup ?
Thanks
Shanil
ā07-11-2013 08:55 AM
Hi Shanil,
Sorry, MB is correct, you will need to add ip route for the public ip of HO as well. I was for some reason think that the public ip address of HO is 10.1.0.1, my bad.
It will not reject ip route 4.4.4.4 255.255.255.255 Dialer1
Basically, you will need to have a connectivity to the public ip of HO before the VPN can work.
HTH,
ā07-11-2013 11:54 AM
Thank you Rudy and MB...
Shanil
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide