09-09-2010 04:53 AM - edited 03-06-2019 12:53 PM
Hello
I have one headquarter and 2 remote site
The headquarter is connected to each remote site with VPN connection
The user on the remote site have access on all resource on the central site (headquarter), but they don’t have access to internet
Now it is work
I want to give access to internet for 2 user (172.25.2.10 and 172.25.2.11) at the remote site
See below the command that I am planning to add in the router 2801 on the remote 1 site
ip access-list extended remote1internet
permit ip host 172.25.2.10 0.0.0.0 172.25.0.100 0.0.0.0
permit ip host 172.25.2.11 0.0.0.0 172.25.0.100 0.0.0.0
Do I need to add any other command in the same router or in the router 2821 at the headquarter
Please help
09-09-2010 11:21 AM
Hello Nicanor00,
access to the public internet means:
remote site hosts IP addresses need to be translated to public ip addresses at central site.
No changes are needed at remote site router, and by the way you need to permit access to any ip address not only to router in central site
you would need
ip access-list extended remote1internet
permit ip host 172.25.2.10 0.0.0.0 any
permit ip host 172.25.2.11 0.0.0.0 any
on central site router or FW that performs NAT for IP addresses of central site you need to modify the ACL that decides what has to be translated to allow translation of specified remote site hosts.
Example for an IOS router ( to be done in central site )
ip nat inside source list 111 interface
!
in ACL 111 you need to add lines:
! I suppose 172.25.0.0/16 is your central site / intranet you don't need to translate when going to other internal network
access-list 111 deny ip 172.25.2.10 0.0.0.1 172.25.0.0 0.0.255.255
access-list 111 permit ip host 172.25.2.10 any
access-list 111 permit ip host 172.25.2.11 any
Check configuration of internet facing router to understand how to change it to provide internet access to those two hosts.
Hope to help
Giuseppe
09-11-2010 03:07 AM
Thanks for your answer
The router gateway to internet(172.25.0.4) is a small router with Nat configured
I cannot configure access-list on that router
I can configure access-list only on the remote1 router (2801) and central vpn router (2821)
Now all user can access internet
All user on remote1 should have all access on resources in central site
But I want to give access on internet in remote1 only to user 172.25.2.10, 172.25.2.11, 172.25.2.12 and 172.25.2.13
Please help
09-13-2010 02:51 AM
Hello
Please somebody can help ?
Thanks in advance
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: