Internet trafic of remote site redirect through the main site via the ipsec vpn tunel

Answered Question
Apr 20th, 2010

Hi all,

I've a problem to redirect the internet trafic of my remote site to the main site via the IPSEC VPN tunnel. The remote site has a Cisco 2801 router with the ios  (c2800nm-advipservicesk9-mz.124-22.T) and the remote site has the ios (C870-ADVSECURITYK9-M, Version 12.4(15)T12, RELEASE SOFTWARE fc3). this redirection don't work and the  last hop with the extended traceroute form the remote site is the wan ip of the main site.

Is there anyone that can help me to right setup this redirection through the VPN ?

file config of the remote site :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

crypto isakmp policy 8

encr 3des

hash md5

authentication pre-share

crypto isakmp key dgsn2010 address 41.223.X.X

!

!

crypto ipsec transform-set vpn esp-3des

!

crypto map vpndgsn 10 ipsec-isakmp

description TO HQ

set peer 41.223.X.X

set transform-set vpn

match address VPNHQ

!

interface FastEthernet0

ip address 41.223.X.X 255.255.255.0

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1300

duplex auto

speed auto

crypto map vpndgsn

!

interface FastEthernet 4

ip address 192.168.11.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 41.223.X.X

ip access-list extended VPNHQ

  permit ip 192.168.11.0 0.0.0.255 any

!

file config of the main site :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key dgsn2010 address 41.223.X.X

!        

!

crypto ipsec transform-set vpn esp-3des

!

crypto map vpncreo 10 ipsec-isakmp

description TO bastos

set peer 41.205.X.X

set transform-set vpn

match address 110

!

interface FastEthernet0/0

description TO WAN

ip address 41.223.X.X 255.255.255.240

ip nat outside

ip tcp adjust-mss 1492

crypto map vpncreo

!

       

interface FastEthernet0/1

description TO LAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list NAT interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 41.223.31.241

access-list 110 permit ip any 192.168.11.0 0.0.0.255

ip access-list extended NAT

                deny ip 192.168.10.0 0.0.0.255  192.168.11.0 0.0.0.255 any

            permit ip 192.168.10.0 0.0.0.255 any

            permit ip 192.168.11.0 0.0.0.255 any

          

!

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

You would need to configure policy based routing to a loopback so the NAT can be invoked on the main site.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Also, make sure that you are not doing any NATing at your remote end, ie: you would need to configure NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Correct Answer
Jennifer Halim Tue, 04/20/2010 - 03:28

You would need to configure policy based routing to a loopback so the NAT can be invoked on the main site.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Also, make sure that you are not doing any NATing at your remote end, ie: you would need to configure NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).

Hope that helps.

FONKOU FOSSO Fri, 04/23/2010 - 09:42

Hi Alijenn,



Thanx for your reply !

i've applied the config on my network design and all is working good !!!


these are file for main and remote sites :

Main site :

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share

crypto isakmp key dgsn2010 address 41.223.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
!        
!
crypto ipsec transform-set vpn esp-3des
!

crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 110
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 120
!

crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 130
!

crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 140
!


interface FastEthernet0/0
description TO WAN
ip address 41.223.x.x 255.255.255.240
ip nat outside
ip policy route-map VPN-remote
ip tcp adjust-mss 1300
ip policy route-map VPN-INTERNET2
crypto map vpncreo
!
       
interface FastEthernet0/1
description TO LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map VPN-INTERNET
duplex auto
speed auto
!

ip nat inside source list NAT interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 41.223.x.x
ip route 10.10.11.0 255.255.255.0 41.223.x.x


access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip any 192.168.100.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip any 192.168.12.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 130 permit ip any 192.168.13.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 140 permit ip any 192.168.14.0 0.0.0.255
access-list 144 permit ip 192.168.100.0 0.0.0.255 any

ip access-list extended NAT
    deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
    deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
    deny ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
    deny ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
    permit ip 192.168.100.0 0.0.0.255 any
    permit ip 192.168.11.0 0.0.0.255 any
    permit ip 192.168.12.0 0.0.0.255 any
    permit ip 192.168.13.0 0.0.0.255 any
!

route-map VPN-remote permit 10
match ip address 144
set ip next-hop 10.10.11.2
!

Remote site :

crypto isakmp policy 8
encr 3des
hash md5
authentication pre-share
crypto isakmp key dgsn2010 address 41.223.X.X
!
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpndgsn 10 ipsec-isakmp
description TO HQ
set peer 41.223.X.X
set transform-set vpn
match address VPNHQ
!

interface FastEthernet4
ip address 41.223.X.X 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
crypto map vpndgsn
!

interface FastEthernet 0
ip address 192.168.100.1 255.255.255.0
no ip virtual-reassembly
!

ip route 0.0.0.0 0.0.0.0 41.223.x.x

ip access-list extended VPNHQ
permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
!

Actions

This Discussion