Vpn Site 2 site

Fredry123 · ‎12-12-2007

Hello

I have a site2site tunnel running my headoffice and branchoffice. From my branchoffice will I tunnel everything over to headoffice. So when my user on branchoffice will go to internet it has to pass my headoffice pix515. Is this possibly? and how to I do?

\Fredry

ccbootcamp · ‎12-12-2007

Sure, you can do that. You just need to put the proper routes on the proper devices in the headoffice.

-brad

http://www.ccbootcamp.com

(please rate the post if this helps!)

husycisco · ‎12-13-2007

Brad,

In this case, a 0.0.0.0 0.0.0.0 route to remote office gateway in local device for local users to go internet over remote gateway should be entered correct? If so how will local device connect the peer ip? something like following?

route outside remotepeerip 255.255.255.255 localISPgateway metric 1

route outside 0.0.0.0 0.0.0.0 remotegateway metric 2

ccbootcamp · ‎12-13-2007

No, that's not how I'd do it.

at the remote office:

route everything to next hop

ENCRYPT EVERYTHING through VPN tunnel

at the head office:

route AND ENCRYPT ALL TRAFFIC DESTINED for REMOTE OFFICE through VPN tunnel

STATIC NAT to translate head office IP subnets AND remote office IP subnet on HEAD OFFICE gateway to internet

DEFAULT route on HEAD OFFICE out to internet.

Does this make sense?

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

Fredry123 · ‎12-14-2007

sure, but i can't get the static nat to work.

can you give me a config exempel.

\Fredry

Fredry123 · ‎12-14-2007

sure, but i can't get the static nat to work.

can you give me a config exempel.

\Fredry

cisco24x7 · ‎12-14-2007

I am going to show you how to do this. It is so easy

even you will be suprised by it.

LAN_A---RouterA----INTERNET----PixB---LAN_B

LAN_A = 192.168.103.0/24

LAN_B = 10.105.0.0/24

RouterA External IP = 1.1.1.1 (remote office)

PixB outside IP = 2.2.2.2 (HQ)

RouterA config:

access-list 101 permit ip 192.168.103.0 0.0.0.255 any

crypto isakmp key cisco add 2.2.2.2 no-xauth

crypto isakmp keep 10

crypto isakmp pol 1

auth pre

hash sha

encr aes 256

group 5

life 86400

crypto ipsec trans cisco esp-aes 256 esp-sha-hmac

crypto map cisco 10 ipsec-isakmp

set peer 2.2.2.2

set trans cisco

match address 101

set security life sec 3600

set pfs group5

interface F0/0

address 1.1.1.1 255.2552.255.240

crypto map cisco

PixB config:

isakmp identity address

isakmp enable outside

isakmp key cisco address 1.1.1.1 no-xauth

access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list VPN permit ip 192.168.103.0 255.255.255.0 any

access-list 101 permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list 101 permit ip any 192.168.103.0 255.255.255.0

nat (outside) 1 access-list VPN

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 0 access-list nonat

same-security-traffic permit intra-interface

sysopt connection permit-ipsec

isakmp pol 1 auth pre

isakmp pol 1 encr aes-256

isakmp pol 1 hash sha

isakmp pol 1 group 5

isakmp pol 1 life 86400

crypto ipsec trans cisco esp-aes-256 esp-sha-hmac

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 set peer 1.1.1.1

crypto map cisco 10 set trans cisco

crypto map cisco 10 set group5

crypto map cisco 10 match address 101

crypto map cisco 10 set security life second 3600

crypto map cisco interface outside

now traffics from network 192.168.103.0/24 going to the Internet

will have to go over to the Pix firewall at the HQ side.

As I've said before, it is so easy even cavemen can do it

(Geico comercial) :-)