04-20-2010 02:18 AM - edited 02-21-2020 04:36 PM
Hi all,
I've a problem to redirect the internet trafic of my remote site to the main site via the IPSEC VPN tunnel. The remote site has a Cisco 2801 router with the ios (c2800nm-advipservicesk9-mz.124-22.T) and the remote site has the ios (C870-ADVSECURITYK9-M, Version 12.4(15)T12, RELEASE SOFTWARE fc3). this redirection don't work and the last hop with the extended traceroute form the remote site is the wan ip of the main site.
Is there anyone that can help me to right setup this redirection through the VPN ?
file config of the remote site :
crypto isakmp policy 8
encr 3des
hash md5
authentication pre-share
crypto isakmp key dgsn2010 address 41.223.X.X
!
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpndgsn 10 ipsec-isakmp
description TO HQ
set peer 41.223.X.X
set transform-set vpn
match address VPNHQ
!
interface FastEthernet0
ip address 41.223.X.X 255.255.255.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
crypto map vpndgsn
!
interface FastEthernet 4
ip address 192.168.11.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 41.223.X.X
ip access-list extended VPNHQ
permit ip 192.168.11.0 0.0.0.255 any
!
file config of the main site :
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key dgsn2010 address 41.223.X.X
!
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 110
!
interface FastEthernet0/0
description TO WAN
ip address 41.223.X.X 255.255.255.240
ip nat outside
ip tcp adjust-mss 1492
crypto map vpncreo
!
interface FastEthernet0/1
description TO LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 41.223.31.241
access-list 110 permit ip any 192.168.11.0 0.0.0.255
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
!
Solved! Go to Solution.
04-20-2010 03:28 AM
You would need to configure policy based routing to a loopback so the NAT can be invoked on the main site.
Here is a sample configuration for your reference:
Also, make sure that you are not doing any NATing at your remote end, ie: you would need to configure NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).
Hope that helps.
04-20-2010 03:28 AM
You would need to configure policy based routing to a loopback so the NAT can be invoked on the main site.
Here is a sample configuration for your reference:
Also, make sure that you are not doing any NATing at your remote end, ie: you would need to configure NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).
Hope that helps.
04-23-2010 09:42 AM
Hi Alijenn,
Thanx for your reply !
i've applied the config on my network design and all is working good !!!
these are file for main and remote sites :
Main site :
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key dgsn2010 address 41.223.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
crypto isakmp key dgsn2010 address 41.205.X.X
!
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 110
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 120
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 130
!
crypto map vpncreo 10 ipsec-isakmp
description TO bastos
set peer 41.205.X.X
set transform-set vpn
match address 140
!
interface FastEthernet0/0
description TO WAN
ip address 41.223.x.x 255.255.255.240
ip nat outside
ip policy route-map VPN-remote
ip tcp adjust-mss 1300
ip policy route-map VPN-INTERNET2
crypto map vpncreo
!
interface FastEthernet0/1
description TO LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map VPN-INTERNET
duplex auto
speed auto
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 41.223.x.x
ip route 10.10.11.0 255.255.255.0 41.223.x.x
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip any 192.168.100.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip any 192.168.12.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 130 permit ip any 192.168.13.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 140 permit ip any 192.168.14.0 0.0.0.255
access-list 144 permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.13.0 0.0.0.255 any
!
route-map VPN-remote permit 10
match ip address 144
set ip next-hop 10.10.11.2
!
Remote site :
crypto isakmp policy 8
encr 3des
hash md5
authentication pre-share
crypto isakmp key dgsn2010 address 41.223.X.X
!
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpndgsn 10 ipsec-isakmp
description TO HQ
set peer 41.223.X.X
set transform-set vpn
match address VPNHQ
!
interface FastEthernet4
ip address 41.223.X.X 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
crypto map vpndgsn
!
interface FastEthernet 0
ip address 192.168.100.1 255.255.255.0
no ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 41.223.x.x
ip access-list extended VPNHQ
permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
!
04-23-2010 03:55 PM
Perfect...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide