Routing a Public Subnet through a VPN Tunnel

gus.dalinis · ‎10-09-2008

I have been trying to figure this out for a while, hopefully someone here can help me out.

I have a Public class C. I want to take a /27 and route it through a VPN tunnel to another location so that other location can use the public IPs. I have Cisco 2811 Routers at both ends.

I can setup a site-to-site VPN connection on the routers but its figuring out how to route the traffic through so that the /27 comes out on the other end and the machines that communicate on the other end come out using the /27.

/27Subnet --> 2811 <VPN> 2811 --> Hosts

Hosts --> 2811 <VPN> 2811 --> /27 Subnet

Bidirectional communication. I can use internal 10.x.x.x subnet if needed to route between them, and I was thinking of setting up some sort of NAT, but not sure if it will work.

Anyone have any ideas on how to accomplish this? Thanks in advanced.

Gus

Marwan ALshawi · ‎10-09-2008

nating works

if u do nating on the main router and nat the traffic to IPs in the remote site and include in ur ACL inersting traffic for vpn any traffic going to those IPs i mean local IPs those will have nating

and u can use use gre/ipsec to use static/dynamic routig then u can make the work as a routed network between two directly connected routers

if helpful rate

gus.dalinis · ‎10-10-2008

Thanks for the response. I think I am missing what to actually place in the access-list for the VPN tunnel, and I don't even know if this configuration is correct. Here is what I have so far on my router that has the public IP's:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <> address x.x.x.x no-xauth

crypto isakmp keepalive 10

!

crypto ipsec transform-set defaultVPN esp-3des esp-sha-hmac

!

crypto map B2BVPN 1 ipsec-isakmp

description VPN to Remote Site

set peer x.x.x.x

set transform-set defaultVPN

match address tunnel

!

interface GigabitEthernet0/1.104

encapsulation dot1Q 104

ip address 99.88.77.33 255.255.255.252

ip nat inside

ip virtual-reassembly

crypto map B2BVPN

!

interface GigabitEthernet0/1.105

encapsulation dot1Q 105

ip address 99.88.77.37 255.255.255.252

ip nat outside

ip virtual-reassembly

!

ip route 99.88.77.240 255.255.255.240 GigabitEthernet0/1.105

ip route 10.0.100.240 255.255.255.240 GigabitEthernet0/1.104

!

ip nat inside source static 10.0.100.241 99.88.77.241

ip nat inside source static 10.0.100.242 99.88.77.242

ip nat inside source static 10.0.100.243 99.88.77.243

ip nat inside source static 10.0.100.244 99.88.77.244

ip nat inside source static 10.0.100.245 99.88.77.245

ip nat inside source static 10.0.100.246 99.88.77.246

ip nat inside source static 10.0.100.247 99.88.77.247

ip nat inside source static 10.0.100.248 99.88.77.248

ip nat inside source static 10.0.100.249 99.88.77.249

ip nat inside source static 10.0.100.250 99.88.77.250

ip nat inside source static 10.0.100.251 99.88.77.251

ip nat inside source static 10.0.100.252 99.88.77.252

ip nat inside source static 10.0.100.253 99.88.77.253

ip nat inside source static 10.0.100.254 99.88.77.254

Marwan ALshawi · ‎10-10-2008

first do u have ur VPN working ok

i mean from the router with public IPs u can reach all the 10.0.100.240 IPs through vpn?

and what is the content of tunnel ACL ?

this ACL important because this ACL determine what to be send through VPN