Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Two links one for Site-to-Site VPN and other for internet on same router configuration

Hi All,

I have 2 internet links one ADSL and one leased terminated on the same router. I need to configure ADSL for site to site VPN to HO ,and leased line for dedicated internet for all users.

my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24.   Kindly find the attached Config and advice this will be correct and work fine

Thanks in Advance...

Shanil

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Two links one for Site-to-Site VPN and other for internet on

Hi,

To me it looks like that he has configured the route correctly;

   ip route 0.0.0.0 0.0.0.0 fastethernet4        -> for all traffic to internet.

   ip route 10.1.0.0 255.255.255.0 Dialer1     -> for vpn traffic to HO.

The public_IP_HO should be set under the crypto map using set peer command.

What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.

The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).

HTH,

8 REPLIES
New Member

Re: Two links one for Site-to-Site VPN and other for internet on

Hi,

At current configuration, traffic to the HO is directed to the FastEthernet4 interface. This is incorrect.

You have to specify static route to the branch HO over  Dialer interface.

Add the route:

ip route public_IP_HO 255.255.255.255 Dialer1

After this fix it should work correctly.

________________
Best regards,
MB

________________ Best regards, MB
New Member

Re: Two links one for Site-to-Site VPN and other for internet on

Thank you

Re: Two links one for Site-to-Site VPN and other for internet on

Hi,

To me it looks like that he has configured the route correctly;

   ip route 0.0.0.0 0.0.0.0 fastethernet4        -> for all traffic to internet.

   ip route 10.1.0.0 255.255.255.0 Dialer1     -> for vpn traffic to HO.

The public_IP_HO should be set under the crypto map using set peer command.

What I would like to add is the hash attribute on the isakmp policy, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy match your HO's isakmp policy.

The other thing is the acl for internet. Maybe you want to consider changing the deny statement if you want to deny traffic only to your HO. Currently it is saying to deny traffic from 10.10.100.0 to all 10.0.0.0 network, not to 10.1.0.0 network (HO network).

HTH,

New Member

Re: Two links one for Site-to-Site VPN and other for internet on

Thank you Rudy.. and  i think need to add route to Public ip of HO through Dialer as pointed by MB.

Shanil

Re: Two links one for Site-to-Site VPN and other for internet on

Hi Shanil,

The route to the public ip of HO is included in the second ip route statement. That ip route means that all traffic destined to 10.1.0.0/24 subnet will be forwarded through dialer1 interface. You can try adding another ip route to the public ip of HO, probably the device will reject the command saying that the route already exist.

HTH,

New Member

Re: Two links one for Site-to-Site VPN and other for internet on

Hi Rudy,

That means i have 2 static routes currently, one default route for internet. one for VPN subnet of HO for VPN. If i add route to public ip @HO to Dialer1 ,it will not take?

ip route 0.0.0.0 0.0.0.0 fastethernet4

ip route 10.1.0.0 255.255.255.0 Dialer1

ip rote 4.4.4.4 255.255.255.255 Dialer1 --> will it reject this route?

and route to Public ip @HO through Dialer1 is a must? otherwise VPN will not comeup ?

Thanks

Shanil

Re: Two links one for Site-to-Site VPN and other for internet on

Hi Shanil,

Sorry, MB is correct, you will need to add ip route for the public ip of HO as well. I was for some reason think that the public ip address of HO is 10.1.0.1, my bad.

It will not reject ip route 4.4.4.4 255.255.255.255 Dialer1

Basically, you will need to have a connectivity to the public ip of HO before the VPN can work.

HTH,

New Member

Re: Two links one for Site-to-Site VPN and other for internet on

Thank you Rudy and MB...
Shanil

Sent from Cisco Technical Support iPhone App

291
Views
15
Helpful
8
Replies
This widget could not be displayed.