07-19-2009 08:07 AM - edited 03-04-2019 05:28 AM
If I set up a site-to-site VPN using two Cisco routers (one at each site), will users behind either router be able to access the Internet for general usage?
I ask because I know that some devices block all other traffic except traffic going over the VPN tunnel (they disable split-tunneling).
Please advise
Solved! Go to Solution.
07-19-2009 09:53 AM
Hello Sean,
thanks for your kind remarks.
yes what you want to do is possible with each site going to the internet indipendently.
For building a full mesh of VPN links you need to define two GRE tunnels on each device.
The crypto map can have two blocks one for each peer/remote site.
traffic to be encrypted:
GRE between hosts (GRE tunnels source and destination addresses).
you can use one ACL for each peer.
Hope to help
Giuseppe
07-19-2009 08:33 AM
Hello Sean,
it is a question of choices.
It is possible to provide concurrent internet access at the site.
The key point is to configure NAT so that traffic for the VPN is not translated.
So the NAT ACL usually contain a deny statement for the traffic to other site.
To use an extended ACL you can invoke inside a route-map that is then used in the NAT command.
this site lan:
10.10.10.0/24
central site: 10.108.0.0/16
access-list 121 deny ip 10.10.10.0 0.0.0.255 10.108.0.0 0.0.255.255
access-list 121 permit ip 10.10.10.0 0.0.0.255 any
route-map selected_NAT permit 10
match ip address 121
!
ip nat inside source route-map selected_NAT int
int wan_x
ip nat outside
crypto map My_VPN
int f0/0
ip nat inside
In some designs internet access is performed at central site to be able to apply web filtering also to remote site users.
In that case no NAT is configured at remote sites and a solution point-to-point GRE tunnel inside IPSec allows for this.
It is just enough to have
ip route 0.0.0.0 0.0.0.0 tunnel0
on the public interface you need a static route to reach the tunnel destination
Hope to help
Giuseppe
07-19-2009 08:58 AM
So, let me see if I understand.
The following:
access-list 121 deny ip 10.10.10.0 0.0.0.255 10.108.0.0 0.0.255.255
access-list 121 permit ip 10.10.10.0 0.0.0.255 any
,in conjuction with the route map, is telling the router to NAT all traffic UNLESS it is destined for the remote site network (which is accessible via the VPN).
Now, with the site-to-site connection, I could be exchange routing tables via some routing protocol and all would work as normal, right?
Just so you know the context here, I am an aspiring engineer. I am consulting a medical practice that needs a network. They have three offices and I want to be able to propose a setup that would allow them to have all three offices connected using a VPN between them (so they don't have to purchase an alternative WAN service like Frame Relay). Each office has Internet locally.
So, I think this would work.
You?
07-19-2009 09:53 AM
Hello Sean,
thanks for your kind remarks.
yes what you want to do is possible with each site going to the internet indipendently.
For building a full mesh of VPN links you need to define two GRE tunnels on each device.
The crypto map can have two blocks one for each peer/remote site.
traffic to be encrypted:
GRE between hosts (GRE tunnels source and destination addresses).
you can use one ACL for each peer.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: