Site-to-Site VPN...Internet still accessible?

Answered Question
Jul 19th, 2009

If I set up a site-to-site VPN using two Cisco routers (one at each site), will users behind either router be able to access the Internet for general usage?

I ask because I know that some devices block all other traffic except traffic going over the VPN tunnel (they disable split-tunneling).

Please advise

Correct Answer by Giuseppe Larosa about 7 years 7 months ago

Hello Sean,

thanks for your kind remarks.

yes what you want to do is possible with each site going to the internet indipendently.

For building a full mesh of VPN links you need to define two GRE tunnels on each device.

The crypto map can have two blocks one for each peer/remote site.

traffic to be encrypted:

GRE between hosts (GRE tunnels source and destination addresses).

you can use one ACL for each peer.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Sun, 07/19/2009 - 08:33

Hello Sean,

it is a question of choices.

It is possible to provide concurrent internet access at the site.

The key point is to configure NAT so that traffic for the VPN is not translated.

So the NAT ACL usually contain a deny statement for the traffic to other site.

To use an extended ACL you can invoke inside a route-map that is then used in the NAT command.

this site lan:

10.10.10.0/24

central site: 10.108.0.0/16

access-list 121 deny ip 10.10.10.0 0.0.0.255 10.108.0.0 0.0.255.255

access-list 121 permit ip 10.10.10.0 0.0.0.255 any

route-map selected_NAT permit 10

match ip address 121

!

ip nat inside source route-map selected_NAT int olverload

int wan_x

ip nat outside

crypto map My_VPN

int f0/0

ip nat inside

In some designs internet access is performed at central site to be able to apply web filtering also to remote site users.

In that case no NAT is configured at remote sites and a solution point-to-point GRE tunnel inside IPSec allows for this.

It is just enough to have

ip route 0.0.0.0 0.0.0.0 tunnel0

on the public interface you need a static route to reach the tunnel destination

Hope to help

Giuseppe

bflseanny Sun, 07/19/2009 - 08:58

So, let me see if I understand.

The following:

access-list 121 deny ip 10.10.10.0 0.0.0.255 10.108.0.0 0.0.255.255

access-list 121 permit ip 10.10.10.0 0.0.0.255 any

,in conjuction with the route map, is telling the router to NAT all traffic UNLESS it is destined for the remote site network (which is accessible via the VPN).

Now, with the site-to-site connection, I could be exchange routing tables via some routing protocol and all would work as normal, right?

Just so you know the context here, I am an aspiring engineer. I am consulting a medical practice that needs a network. They have three offices and I want to be able to propose a setup that would allow them to have all three offices connected using a VPN between them (so they don't have to purchase an alternative WAN service like Frame Relay). Each office has Internet locally.

So, I think this would work.

You?

Correct Answer
Giuseppe Larosa Sun, 07/19/2009 - 09:53

Hello Sean,

thanks for your kind remarks.

yes what you want to do is possible with each site going to the internet indipendently.

For building a full mesh of VPN links you need to define two GRE tunnels on each device.

The crypto map can have two blocks one for each peer/remote site.

traffic to be encrypted:

GRE between hosts (GRE tunnels source and destination addresses).

you can use one ACL for each peer.

Hope to help

Giuseppe

Actions

This Discussion