From: Joshua (joshualixin@gmail.com)
Date: Thu Aug 21 2008 - 16:39:52 ART
Hi,
I am trying to test site-to-site VPN on a stick. Unfortunatlly, i did not
get it success. Please help!
Test Bed:
VPN router at Hub:
Public ip = 9.9.9.2
Default Gateway = 9.9.9.3
Internal ip = 10.10.50.2
Remote VPN Router:
Public IP = 8.8.8.2
Default Gateway = 8.8.8.3
Internal ip = 10.9.16.2
1. Simulate reachbility via Internet. VPN_Hub (9.9.9.2) can ping Remote_VPN(
8.8.8.2)
2. Remote VPN site disable split tunnel. So, all traffic will be routed to
VPN_Hub via VPN tunnel;
3. I want traffic from source 10.9.16.0 to Internet will take a U-Turn when
they hit VPN_Hub external interface;
4. Traffic from source 10.9.16.0 to VPN_Hub LAN (10.10.50.0) won't be NATed
VPN_Hub#sh run
Building configuration...
Current configuration : 3667 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname VPN_Hub
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$x/Gk$M/FPokj0Ael5nds.fhw1
!
no aaa new-model
!
resource policy
!
clock timezone MST-6
clock summer-time MDT recurring
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
!
!
!
!
ip cef
!
!
no ip domain lookup
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key EKLRS2 address 8.8.8.2 <--- Remote VPN Public IP
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 8.8.8.2
set transform-set myset
match address 150
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
description External Interface to Internet
ip address 9.9.9.2 255.255.255. <--- VPN_Hub Public IP
ip nat outside
ip virtual-reassembly
ip policy route-map VPN_Client
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Internal Interface
ip address 10.10.50.2 255.255.255.0 <--- VPN_Hub LAN IP
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.9.9.3 <---Default Gateway for Internet
!
no ip http server
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip any any
access-list 144 permit ip 10.9.16.0 0.0.0.255 any <--- Remote vpn site LAN
segment
access-list 150 permit ip any 10.9.16.0 0.0.0.255
snmp-server community ledcorsnmp RO
snmp-server enable traps tty
route-map VPN_Client permit 10
match ip address 144
set ip next-hop 1.1.1.1 <---??? What ip should i use here?
!
!
!
control-plane
!
!
!
line con 0
password 7 02050A1F035F354E
line aux 0
line vty 0 4
password 7 0459571B241C5A0B
login
transport input telnet ssh
line vty 5 15
no login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART