three WAN cct

Unanswered Question
Dec 9th, 2007

Hi,

we have three WAN ccts (6M ADSL, 10M ethernet and E1 IPLC). all of themn are connected to 4700. I will build the vpn between HK and TW. Also, we have one IPLC between HK and TW.

following is the ip address allocation

1. 192.168.16.0/22 in HK HQ

2. 192.168.132.0/22 in TST

3. 192.168.196.0/22 in TW

I would like to achieve those services, all traffic access destination IP:

1. 192.168.196.0/24 must via IPLC

2. 192.168.197.0/24 must via VPN

3. 192.168.198.0/24, some goes iplc some goes vpn

and

4. 192.168.16.128/25 access 192.168.196.0/24 must go VPN (not IPLC)

5. 192.168.133.128/25 access 192.168.196.0/24 must go VPN (not IPLC)

what config can achieve item 4 and 5 requirement? pls advise

regards,

! router config:

!

crypto isakmp key xxxxx address 152.x.x.x

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap local-address FastEthernet1

!

crypto map mymap 120 ipsec-isakmp

description vpn to TW

set peer 152.x.x.x

set transform-set myset

match address 120

!

access-list 120 permit ip 192.168.16.0 0.0.3.255 192.168.196.0 0.0.3.255

access-list 120 permit ip 192.168.132.0 0.0.3.255 192.168.196.0 0.0.3.255

!

interface FastEthernet 0.1

description to 10M ethernet to TST

ip address 192.168.128.1 255.255.255.252

ip nat inside

!

interface FastEthernet 0.2

description to user segment

ip address 192.168.16.1 255.255.255.0

ip address 192.168.17.1 255.255.255.0 sec

ip address 192.168.18.1 255.255.255.0 sec

ip address 192.168.19.1 255.255.255.0 sec

ip nat inside

!

interface FastEthernet 1

description to PCCW ADSL (VPN service)

ip address 218.x.x.x 255.255.255.254

ip nat outside

crypto map mymap

!

interface serial 0

description to TW

ip address 192.168.192.1 255.255.255.252

!

ip nat pool NAT 218.x.x.x 218.x.x.x netmask 255.255.255.254

ip nat inside source route-map VPN_nonat interface FastEthernet1 overload

!

route-map VPN_nonat permit 10

match ip address 150

!

access-list 150 deny ip 192.168.16.0 0.0.3.255 192.168.196.0 0.0.3.255

access-list 150 deny ip 192.168.132.0 0.0.3.255 192.168.196.0 0.0.3.255

access-list 150 permit ip 192.168.16.0 0.0.3.255 any

access-list 150 permit ip 192.168.132.0 0.0.3.255 any

!

! go iplc

ip route 192.168.196.0 255.255.255.0 serial 0

!

! some go iplc

ip route 192.168.198.110 255.255.255.255 serial 0

ip route 192.168.198.153 255.255.255.255 serial 0

ip route 192.168.198.166 255.255.255.255 serial 0

ip route 192.168.198.248 255.255.255.248 serial 0

!

! other traffic should go VPN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Mon, 12/17/2007 - 06:11

Implement IPsec tunnel between 192.168.16.128/25 and 192.168.196.0/24 and also 192.168.133.128/25 and 192.168.196.0/24 . If you are not familiar the steps use the SDM for configuration.

anitachoi3 Thu, 12/20/2007 - 09:04

I should build VPN

the first is 192.168.16.0 - 192.168.196.0

and ipsec tunnel

the second is 192.168.16.128 - 192.168.196.0

any sample of ipsec tunnel config?

rgds

Actions

This Discussion