Remote host and internet access

Answered Question
Feb 19th, 2007

I want to access the remote host from the local office as well as local office and have internet access at the same time.

can i do that using following solution?

is it possible to establish gre tunnel between both the site and forwarding only private ip address data to the tunnel using static route and for othere internet traffice we can use that default router which is pointing to the real ip of interface or to the default gateway of the isp.

I have this problem too.
0 votes
Correct Answer by sachinraja about 9 years 7 months ago

Hello dave,

you can configure the tunnel interface as private IPs.. it really doesnt matter... the only thing is, that the tunnel source and destination interfaces should be public reachable IP addresses... sample config:

int tunnel 0

ip address 10.1.1.1 255.255.255.252

tunnel source 200.200.200.200

tunnel destination 100.100.100.100

tunnel mode ip ip

ip route 172.16.1.0 255.255.255.0 tunnel 0

similar configs on the other router with reverse configs..

the ipsec vpn configs are presented in my previous post..

Hope this helps.. all the best..

Raj

Correct Answer by sachinraja about 9 years 7 months ago

Hello dave,

Split tunnels basically allow or deny traffic going into an IPSEC tunnel... by default split tunnel is disabled, which means all traffic will flow through the IPSEC tunnel.... this might not be really the need for many customers.. they will need to allow only few subnets/hosts through the IPSEC tunnel when it is connected, and leave the rest of the traffic, eg internet, through the local NIC card... so, you can enable split tunnel and tunnel only the required traffic !!! first create an access-list :

access-list 10 permit 10.0.0.0 0.0.0.255 host 192.168.1.1

vpngroup abc split-tunnel 10

when we do this, traffic from 10.0.0.0/24 to 192.168.1.1 ONLY will pass through the IPSEC tunnel. all other traffic will go through the local NIC card....

Hope this helps.. all the best..

Raj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (6 ratings)
Loading.
sachinraja Mon, 02/19/2007 - 18:54

Hello,

Yes this is possible. Your PC can have default gateway to the router.. the router can route only the required private subnet over GRE. by doing this, u can access both your remote private subnet and internet.

GRE is easy to configure, but i would never use it, since it sends packets over internet on clear text.. it is not at all secure.. i would instead use IPSEC with 3DES encryption, on a client-server/remote access mode. In this, the client will connect to the remote end VPN server (can be a router/firewall/ VPN concetrator etc).. Once authenticated and connected, he can access any resource on the remote network. If we enable something called "split tunneling" he can access both remote private network as well as internet on the same PC. Only the traffic to the remote office IP will go through the VPN client adaptor. all other traffic will go through the physical NIC, thus allowing both the accesses.

Hope this helps.. all the best.. rate replies if found useful.

Raj

daveporter123 Mon, 02/19/2007 - 20:46

thanks raj,

will you please post the both ends configuration of VPN and internet access of my requirement?, i will really appriciate your help.

daveporter123 Mon, 02/19/2007 - 20:51

will you please explaine me in detail "split tunneling"?

i want to understand the whole idea behind the configuration which you are going to post?

please help me.

Correct Answer
sachinraja Tue, 02/20/2007 - 01:50

Hello dave,

Split tunnels basically allow or deny traffic going into an IPSEC tunnel... by default split tunnel is disabled, which means all traffic will flow through the IPSEC tunnel.... this might not be really the need for many customers.. they will need to allow only few subnets/hosts through the IPSEC tunnel when it is connected, and leave the rest of the traffic, eg internet, through the local NIC card... so, you can enable split tunnel and tunnel only the required traffic !!! first create an access-list :

access-list 10 permit 10.0.0.0 0.0.0.255 host 192.168.1.1

vpngroup abc split-tunnel 10

when we do this, traffic from 10.0.0.0/24 to 192.168.1.1 ONLY will pass through the IPSEC tunnel. all other traffic will go through the local NIC card....

Hope this helps.. all the best..

Raj

sachinraja Tue, 02/20/2007 - 01:42

Hello dave,

Which devices you have at the head-end &remote offices? Incase you have a router with the required security IOS, you can use the following URL to configure for remote-access VPN:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009488e.shtml

Are you interested in site-to-site VPN ?? this can be used, when you have many users accessing private IP in the head office, and we dont then need to enable IPSEC client for all the users...

you can use the following URL for site-to-site VPN:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

just take one of the spoke location nd consider your case...

Hope this helps.. do let us know your exact requirements..

Raj

daveporter123 Tue, 02/20/2007 - 06:37

i have 2651XM with security IOS now i want to go for Site to Site vpn but as i told you i want to go for rmote network as well as internet access simultaneously.

so please give me both end configuration.

daveporter123 Mon, 02/19/2007 - 23:08

when confiugring GRE? what ip address i should use to configure the tunnel interface ip address? it must be private ip address and i should use tunnel source as the Global IP address which is already configure to my one the the interface which is facing towards the ISP? am i right or wrong?

please provide me both end solution as well as same for IP sec VPN...

Correct Answer
sachinraja Tue, 02/20/2007 - 03:16

Hello dave,

you can configure the tunnel interface as private IPs.. it really doesnt matter... the only thing is, that the tunnel source and destination interfaces should be public reachable IP addresses... sample config:

int tunnel 0

ip address 10.1.1.1 255.255.255.252

tunnel source 200.200.200.200

tunnel destination 100.100.100.100

tunnel mode ip ip

ip route 172.16.1.0 255.255.255.0 tunnel 0

similar configs on the other router with reverse configs..

the ipsec vpn configs are presented in my previous post..

Hope this helps.. all the best..

Raj

daveporter123 Tue, 02/20/2007 - 05:39

thanks raj,

you help me lot.

It means you can use any tunnel interface ip address(any ip address from private IP) but tunnel source and destination must be global ip address right!!! and tunnel source and destination must be reachable to each other, so tunnel can come up and working.

am i right?

raj in this case how we can go for ip unnumber command by configuring loopback interface?

Actions

This Discussion