Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
4
Replies

OK Site-2-Site VPN , but unable to access to internet

lcolimoro
Level 1
Level 1

‎03-03-2006 02:10 PM

I built a Site-to-Site VPN between the Head Quarter and a remote site. The network traffic must be encrypted when it has across the commercial leased line which is considered an untrusted media.

The network traffic for Internet generated by the hosts of the remote site is transparently proxied by the firewall located at the HQ. Unfourtunately, the traffic from and to Internet is not working for the remote site hosts. The intranet network traffic works.

Cisco strongly discourages the use of keyword "any" in the crypto access list, but how can I tell the routers to encrypt the ip traffic where the source address is unknown?

Can you help me on this?

(I use the following routers: 7206VXR with VAM2 and cisco 2891 with AIM)

Labels:
0 Helpful
4 Replies 4

peter.rowe
Level 1
Level 1

‎03-03-2006 02:49 PM

I may be wrong here, but shouldn't NAT take care of that for you - have you adjusted your NAT to translate addresses from both the HQ and the remote site?

0 Helpful

jackko
Level 7
Level 7

‎03-04-2006 06:21 AM

no extra configuration should be needed for remote site browsing via the hq proxy, providing the remote site can ping the proxy, and the proxy can browse the internet, there shouldn't be any drama.

please post the entire config of both routers for further assistance.

0 Helpful

haris.cisco
Level 1
Level 1

‎03-04-2006 10:43 PM

hi,

try to tunnel out the encrypted traffic by using the split tunnelling option

use a acl to speccify the traffic to be passed through tunnel then

use the command "split-tunnel acl name

please post if it helps

regards

haris

0 Helpful

lcolimoro
Level 1
Level 1
In response to haris.cisco

‎03-10-2006 05:36 AM

Thanks to cisco engineer , he told the solution because he had a similar problem. He told to build the vpn using the tunnel interface, and issue the following command line on the both sites of the tunnel interfaces:

interface Tunnel 0

ip mtu 1300

ip tcp adjust-mss 1400

This config works for my environment

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents