how-to block ads
|
vaio338168
join:2005-09-22
Aston, PA
| cisco 1720 site to site vpn help
Hi,
I have two cisco 1720, flash version "c1700-bno3r2sy756i-mz.121-5.YB1.bin" IOS 12.1(5)YB1, 8mb flash, 32mb RAM, 10mbps WAN card.
i was trying to configure site to site vpn between the two router using two DSL lines. i was able to establish the VPN connection between the two routers, local traffic between the two networks work fine,
i would like to re-route all traffic (including internet) to the other site to be monitor and filter. it seems like my access list only allow local traffic to pass through.
i can ping and trace ip from the cisco router, but it goes directly to internet. local workstation attached to the cisco router can not ping internet, but can ping the other side of the local network.
any one has any idea? thanks
here is my config file from one of the router.
Current configuration : 1531 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable password xxxxx
!
memory-size iomem 15
ip subnet-zero
!
!
no ip finger
ip name-server 151.197.0.39
!
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set vpn-test esp-des esp-sha-hmac
!
crypto map static-map local-address Ethernet0
crypto map static-map 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set vpn-test
match address vpn-static1
!
!
!
!
interface Tunnel1
bandwidth 1536
ip address 10.62.1.193 255.255.255.252
tunnel source yyy.yyy.yyy.yyy
tunnel destination xxx.xxx.xxx.xxx
crypto map static-map
!
interface Ethernet0
ip address yyy.yyy.yyy.yyy 255.255.255.0
half-duplex
crypto map static-map
!
interface FastEthernet0
ip address 10.9.8.31 255.255.255.0
speed auto
!
router eigrp 250
redistribute static
network 10.0.0.0
network 172.16.0.0
network 172.168.0.0
auto-summary
eigrp stub connected summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.1
no ip http server
!
!
ip access-list extended vpn-static1
permit gre host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end | |
Domwilko
CCVP, CCNP, CCNA, CCDA
join:2002-03-02
UK
| Hi,
Please can you post the config from both routers and if possible, put descriptions on each interface so we can tell which interface is connecting to where.
Once you've posted the configs, I'll take a look. I think there may be some issues with bringing in the traffic over the VPN tunnel and then trying to turn it around back out over the Internet if you only have 2 interfaces.
--
Domwilko - CCVP, CCNP, CCNA, CCDA | |
vaio338168
join:2005-09-22
Aston, PA
1 edit | Hi
I think I have resolved the problem,
here is what i did
both router has ethernet 0, assigned with public static IP, then created virtual tunnel, GRE with IPSEC,
for the main office router, i route all traffic to my main gateway router, except tunneling traffic, give it to the default gateway of the DSL in main office
then in the branch office router, i did the samething, give all tunnelling traffic to default gateway of the DSL in branch office, then all other traffic, give it default gateway of the router in the main office, in which all traffic come over the DSL line to the main office,
i've highlighted the code in Bold to show how i was able to route all traffic from branch office to main office to be filtered before going to internet again.
in addition, we have frame relay connected to the same site
so, i used load balancing , object tracking feature to aggregate the traffic between the two pipes, and it seems to be working well. at any given time, if one line goes down, all traffic will be routed to the other line, so it has increased the reliability.
please help me verify to see if there is potential problem with this setup
thanks
here is the working config
Main office router
############################################################
Building configuration...
Current configuration : 1794 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Main_Office
!
boot-start-marker
boot-end-marker
!
enable password
!
no aaa new-model
memory-size iomem 20
!
!
!
!
ip cef
ip name-server 151.197.0.39
ip sla monitor 1
type echo protocol ipIcmpEcho 10.62.1.194
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 172.16.2.2
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
track 123 rtr 1 reachability
!
track 456 rtr 2 reachability
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key mykey address xxx.xxx.xxx.23
!
!
crypto ipsec transform-set vpn-test esp-des esp-sha-hmac
!
crypto map static-map local-address Ethernet0
crypto map static-map 1 ipsec-isakmp
set peer xxx.xxx.xxx.23
set transform-set vpn-test
match address vpn-static1
!
!
!
interface Tunnel1
bandwidth 1536
ip address 10.62.1.193 255.255.255.252
tunnel source Ethernet0
tunnel destination xxx.xxx.xxx.23
crypto map static-map
!
interface Ethernet0
! DSL wan INTERFACE
ip address yyy.yyy.yyy.192 255.255.255.0
half-duplex
crypto map static-map
!
interface FastEthernet0
!! LAN INTERFACE
ip address 10.9.8.31 255.255.255.0
speed auto
!
ip route 10.9.10.0 255.255.255.0 10.62.1.194 track 123
ip route 10.9.10.0 255.255.255.0 172.16.2.2 track 456
ip route 0.0.0.0 0.0.0.0 10.9.8.10
ip route xxx.xxx.xxx.23 255.255.255.255 yyy.yyy.yyy.1
ip route 172.16.2.0 255.255.255.0 10.9.8.10
no ip http server
no ip http secure-server
!
!
!
!
ip access-list extended vpn-static1
permit gre host xxx.xxx.xxx.192 host yyy.yyy.yyy.23
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxx
login
!
end
###########################################################
Branch office config
Building configuration...
Current configuration : 3600 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Branch_office
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password 7
!
no aaa new-model
memory-size iomem 25
clock timezone Eastern -5
clock summer-time Eastern recurring
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.9.10.1 10.9.10.30
!
!
ip cef
ip name-server 10.9.8.15
ip sla monitor 1
type echo protocol ipIcmpEcho 10.62.1.193
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 172.16.2.1
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
track 111 rtr 1 reachability
!
track 222 rtr 2 reachability
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key mykey address yyy.yyy.yyy.192
!
!
crypto ipsec transform-set vpn-test esp-des esp-sha-hmac
!
crypto map static-map local-address Ethernet0
crypto map static-map 20 ipsec-isakmp
set peer yyy.yyy.yyy.192
set transform-set vpn-test
match address vpn-static2
!
!
!
interface Tunnel1
bandwidth 1536
ip address 10.62.1.194 255.255.255.252
ip load-sharing per-packet
tunnel source Ethernet0
tunnel destination yyy.yyy.yyy.192
crypto map static-map
!
interface Ethernet0
! DSL WAN INTERFACE AT BRANCH OFFICE
ip address xxx.xxx.xxx.23 255.255.255.0
half-duplex
crypto map static-map
!
interface FastEthernet0
! LAN INTERFACE AT BRANCH OFFICE
ip address 10.9.10.1 255.255.255.0
ip load-sharing per-packet
speed auto
!
!
router eigrp 250
network 10.0.0.0
network 172.16.0.0
auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.62.1.193 track 111
ip route 0.0.0.0 0.0.0.0 172.16.2.1 track 222
ip route yyy.yyy.yyy.192 255.255.255.255 xxx.xxx.xxx.1
ip route 172.16.2.0 255.255.255.0 10.9.10.15
no ip http server
no ip http secure-server
!
!
!
!
ip access-list extended vpn-static2
permit gre host xxx.xxx.xxx.23 host yyy.yyy.yyy.192
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7
login
!
end | |
|
