cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1655
Views
18
Helpful
9
Replies

Remote host and internet access

daveporter123
Level 1
Level 1

I want to access the remote host from the local office as well as local office and have internet access at the same time.

can i do that using following solution?

is it possible to establish gre tunnel between both the site and forwarding only private ip address data to the tunnel using static route and for othere internet traffice we can use that default router which is pointing to the real ip of interface or to the default gateway of the isp.

2 Accepted Solutions

Accepted Solutions

Hello dave,

Split tunnels basically allow or deny traffic going into an IPSEC tunnel... by default split tunnel is disabled, which means all traffic will flow through the IPSEC tunnel.... this might not be really the need for many customers.. they will need to allow only few subnets/hosts through the IPSEC tunnel when it is connected, and leave the rest of the traffic, eg internet, through the local NIC card... so, you can enable split tunnel and tunnel only the required traffic !!! first create an access-list :

access-list 10 permit 10.0.0.0 0.0.0.255 host 192.168.1.1

vpngroup abc split-tunnel 10

when we do this, traffic from 10.0.0.0/24 to 192.168.1.1 ONLY will pass through the IPSEC tunnel. all other traffic will go through the local NIC card....

Hope this helps.. all the best..

Raj

View solution in original post

Hello dave,

you can configure the tunnel interface as private IPs.. it really doesnt matter... the only thing is, that the tunnel source and destination interfaces should be public reachable IP addresses... sample config:

int tunnel 0

ip address 10.1.1.1 255.255.255.252

tunnel source 200.200.200.200

tunnel destination 100.100.100.100

tunnel mode ip ip

ip route 172.16.1.0 255.255.255.0 tunnel 0

similar configs on the other router with reverse configs..

the ipsec vpn configs are presented in my previous post..

Hope this helps.. all the best..

Raj

View solution in original post

9 Replies 9

sachinraja
Level 9
Level 9

Hello,

Yes this is possible. Your PC can have default gateway to the router.. the router can route only the required private subnet over GRE. by doing this, u can access both your remote private subnet and internet.

GRE is easy to configure, but i would never use it, since it sends packets over internet on clear text.. it is not at all secure.. i would instead use IPSEC with 3DES encryption, on a client-server/remote access mode. In this, the client will connect to the remote end VPN server (can be a router/firewall/ VPN concetrator etc).. Once authenticated and connected, he can access any resource on the remote network. If we enable something called "split tunneling" he can access both remote private network as well as internet on the same PC. Only the traffic to the remote office IP will go through the VPN client adaptor. all other traffic will go through the physical NIC, thus allowing both the accesses.

Hope this helps.. all the best.. rate replies if found useful.

Raj

thanks raj,

will you please post the both ends configuration of VPN and internet access of my requirement?, i will really appriciate your help.

will you please explaine me in detail "split tunneling"?

i want to understand the whole idea behind the configuration which you are going to post?

please help me.

Hello dave,

Split tunnels basically allow or deny traffic going into an IPSEC tunnel... by default split tunnel is disabled, which means all traffic will flow through the IPSEC tunnel.... this might not be really the need for many customers.. they will need to allow only few subnets/hosts through the IPSEC tunnel when it is connected, and leave the rest of the traffic, eg internet, through the local NIC card... so, you can enable split tunnel and tunnel only the required traffic !!! first create an access-list :

access-list 10 permit 10.0.0.0 0.0.0.255 host 192.168.1.1

vpngroup abc split-tunnel 10

when we do this, traffic from 10.0.0.0/24 to 192.168.1.1 ONLY will pass through the IPSEC tunnel. all other traffic will go through the local NIC card....

Hope this helps.. all the best..

Raj

Hello dave,

Which devices you have at the head-end &remote offices? Incase you have a router with the required security IOS, you can use the following URL to configure for remote-access VPN:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009488e.shtml

Are you interested in site-to-site VPN ?? this can be used, when you have many users accessing private IP in the head office, and we dont then need to enable IPSEC client for all the users...

you can use the following URL for site-to-site VPN:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

just take one of the spoke location nd consider your case...

Hope this helps.. do let us know your exact requirements..

Raj

i have 2651XM with security IOS now i want to go for Site to Site vpn but as i told you i want to go for rmote network as well as internet access simultaneously.

so please give me both end configuration.

when confiugring GRE? what ip address i should use to configure the tunnel interface ip address? it must be private ip address and i should use tunnel source as the Global IP address which is already configure to my one the the interface which is facing towards the ISP? am i right or wrong?

please provide me both end solution as well as same for IP sec VPN...

Hello dave,

you can configure the tunnel interface as private IPs.. it really doesnt matter... the only thing is, that the tunnel source and destination interfaces should be public reachable IP addresses... sample config:

int tunnel 0

ip address 10.1.1.1 255.255.255.252

tunnel source 200.200.200.200

tunnel destination 100.100.100.100

tunnel mode ip ip

ip route 172.16.1.0 255.255.255.0 tunnel 0

similar configs on the other router with reverse configs..

the ipsec vpn configs are presented in my previous post..

Hope this helps.. all the best..

Raj

thanks raj,

you help me lot.

It means you can use any tunnel interface ip address(any ip address from private IP) but tunnel source and destination must be global ip address right!!! and tunnel source and destination must be reachable to each other, so tunnel can come up and working.

am i right?

raj in this case how we can go for ip unnumber command by configuring loopback interface?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco