Solved: Two links one for Site-to-Site VPN and other for internet on same router configuration

shanilkumar2003 · ‎07-09-2013

Hi All,

I have 2 internet links one ADSL and one leased terminated on the same router. I need to configure ADSL for site to site VPN to HO ,and leased line for dedicated internet for all users.

my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Kindly find the attached Config and advice this will be correct and work fine

Thanks in Advance...

Shanil

Rudy Sanjoko · ‎07-10-2013

Hi,

To me it looks like that he has configured the route correctly;

ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to internet.

ip route 10.1.0.0 255.255.255.0 Dialer1 -> for vpn traffic to HO.

The public_IP_HO should be set under the crypto map using set peer command.

What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.

The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).

HTH,

View solution in original post

czaja0000 · ‎07-10-2013

Hi,

At current configuration, traffic to the HO is directed to the FastEthernet4 interface. This is incorrect.

You have to specify static route to the branch HO over Dialer interface.

Add the route:

ip route public_IP_HO 255.255.255.255 Dialer1

After this fix it should work correctly.

________________
Best regards,
MB

________________ Best regards, MB

shanilkumar2003 · ‎07-10-2013

Thank you

Rudy Sanjoko · ‎07-10-2013

Hi,

To me it looks like that he has configured the route correctly;

ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to internet.

ip route 10.1.0.0 255.255.255.0 Dialer1 -> for vpn traffic to HO.

The public_IP_HO should be set under the crypto map using set peer command.

What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.

The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).

HTH,

shanilkumar2003 · ‎07-10-2013

Thank you Rudy.. and i think need to add route to Public ip of HO through Dialer as pointed by MB.

Shanil

Rudy Sanjoko · ‎07-10-2013

Hi Shanil,

The route to the public ip of HO is included in the second ip route statement. That ip route means that all traffic destined to 10.1.0.0/24 subnet will be forwarded through dialer1 interface. You can try adding another ip route to the public ip of HO, probably the device will reject the command saying that the route already exist.

HTH,

shanilkumar2003 · ‎07-11-2013

Hi Rudy,

That means i have 2 static routes currently, one default route for internet. one for VPN subnet of HO for VPN. If i add route to public ip @HO to Dialer1 ,it will not take?

ip route 0.0.0.0 0.0.0.0 fastethernet4

ip route 10.1.0.0 255.255.255.0 Dialer1

ip rote 4.4.4.4 255.255.255.255 Dialer1 --> will it reject this route?

and route to Public ip @HO through Dialer1 is a must? otherwise VPN will not comeup ?

Thanks

Shanil

Rudy Sanjoko · ‎07-11-2013

Hi Shanil,

Sorry, MB is correct, you will need to add ip route for the public ip of HO as well. I was for some reason think that the public ip address of HO is 10.1.0.1, my bad.

It will not reject ip route 4.4.4.4 255.255.255.255 Dialer1

Basically, you will need to have a connectivity to the public ip of HO before the VPN can work.

HTH,

shanilkumar2003 · ‎07-11-2013

Thank you Rudy and MB...
Shanil

Sent from Cisco Technical Support iPhone App