11-12-2010 08:13 AM - edited 03-04-2019 10:27 AM
Hi
I am trying to setup a environment where I want Vlans 1 and 2 to communicate with each other through inter-vlan routing.
Vlan 2 should be accessed through the VPN tunnel on the from the other end. These should however be no access to Vlan 1 through the vpn tunnel.
Finally I want both vlan 1 and vlan 2 to connect to the internet through another interface of the router.
R1 Se 0/0 1.1.1.1
R2 Se0/0 is 1.1.1.1
R1 Se0/1 2.2.2.2
R3 Se0/0 2.2.2.1
I have managed to implement ipsec vpn between R1 and R2 and access to Vlan 2 from R2 is working fine and there is no access to Vlan 1 from R2.
However I am not able to connect to the internet from Vlan 1 and Vlan 2. Any suggestions welcome
This is the config
R1#sh run
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key cisco address 1.1.1.2
!
!
crypto ipsec transform-set TXRX esp-3des esp-md5-hmac
!
crypto map MAP 1 ipsec-isakmp
set peer 1.1.1.2
set pfs group2
set transform-set TXRX
match address 101
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.1.6.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.2.16.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 1.1.1.1 255.255.255.0
crypto map MAP
!
interface Serial0/0/1
ip address 2.2.2.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 10.10.10.0 255.255.255.0 1.1.1.2
!
access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255
access-list 102 permit udp host 1.1.1.2 any eq isakmp
access-list 102 permit esp host 1.1.1.2 any
!
end
R2 Config
R2#sh run
hostname R2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set TXRX esp-3des esp-md5-hmac
!
crypto map MAP 1 ipsec-isakmp
set peer 1.1.1.1
set pfs group2
set transform-set TXRX
match address 101
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 1.1.1.2 255.255.255.0
clock rate 1000000
crypto map MAP
!
!
ip classless
ip route 10.2.16.0 255.255.255.0 1.1.1.1
!
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.2.16.0 0.0.0.255
access-list 102 permit udp host 1.1.1.1 any eq isakmp
access-list 102 permit esp host 1.1.1.1 any
end
R3 config is
R3#sh run
Building configuration...
hostname R3
interface Serial0/0/0
ip address 2.2.2.1 255.255.255.0
clock rate 1000000
end
R3#
Solved! Go to Solution.
11-12-2010 12:41 PM
btw what will happen to the already existing acl 101 which is responsible for vpn traffic
access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255
oops, sorry missed that. You should use an unused acl number for the NAT, between 100 - 199.
even if i configure L3 to perform inter-vlan routing how will traffic be passing from the lan to the internet and for vpn connectivity. Sorry im a bit naive
It's not changing to L3 inter-vlan routing on the switch would make it work, it's just that if you have a L3 switch in your network it's usually better to use it for it's intended purpose. If the amount of traffic between vlan 1 and vlan 2 is not that much then you can stick with what you have but L3 switches provide much better throughput generally than equivalent routers so the interface on the router you are using subinterface on could actually become a bottleneck between the 2 vlans.
But like i say, it may not be an issue for you.
Jon
11-12-2010 09:47 AM
Well you are using 10.x.x.x addressing and you have no NAT setup so none of your addressing will be routable on the Internet.
You need -
fa0/0.1
ip nat inside
fa0/0.2
ip nat inside
s0/0/1
ip nat outside
access-list 101 permit ip 10.1.6.0 0.0.0.255 any
access-list 101 permit ip 10.2.16.0 0.0.0.255 any
ip nat inside source list 101 interface s0/0/1 overload
By the way, you have a L3 switch in your network, why are you using subinterfaces on your router and not using the L3 switch for inter-vlan routing ?
Jon
11-12-2010 11:57 AM
thanks for the reply.
btw what will happen to the already existing acl 101 which is responsible for vpn traffic
access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255
even if i configure L3 to perform inter-vlan routing how will traffic be passing from the lan to the internet and for vpn connectivity. Sorry im a bit naive
11-12-2010 12:41 PM
btw what will happen to the already existing acl 101 which is responsible for vpn traffic
access-list 101 permit ip host 10.2.16.2 10.10.10.0 0.0.0.255
oops, sorry missed that. You should use an unused acl number for the NAT, between 100 - 199.
even if i configure L3 to perform inter-vlan routing how will traffic be passing from the lan to the internet and for vpn connectivity. Sorry im a bit naive
It's not changing to L3 inter-vlan routing on the switch would make it work, it's just that if you have a L3 switch in your network it's usually better to use it for it's intended purpose. If the amount of traffic between vlan 1 and vlan 2 is not that much then you can stick with what you have but L3 switches provide much better throughput generally than equivalent routers so the interface on the router you are using subinterface on could actually become a bottleneck between the 2 vlans.
But like i say, it may not be an issue for you.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: