Allow Cisco vpn client pool down a site to site VPN

Discussion in 'Cisco' started by tweety, Jul 29, 2008.

  1. tweety

    tweety Guest

    Hi there,

    I was wondering if the following is possible?


    I am terminating a vpn client ( pool 10.10.10.0 /24 ) onto router A
    and allowing access to 192.168.100.0 /24 , this is router A's local
    lan. Router A also has a site to site VPN to router B. This is from
    net 192.168.100.0 /24 to 192.168.200.0 /24 This is as follows.....


    Remote Client 10.10.10.0 /24
    |
    |
    192.168.100.0 /24
    |
    |
    |
    Router A
    |
    |
    |
    Router B
    |
    |
    |
    192.168.200.0 /24


    Is there anyway that the remote client would be able to go down the
    Site to site VPN and see Router B's lan?


    I am looking fo the remote clients to be able to access resources on
    Router B's lan.


    Thanks for any help or pointers anyone can provide.


    Andrew
    tweety, Jul 29, 2008
    #1
    1. Advertising

  2. tweety

    tweety Guest

    On Jul 29, 8:48 pm, Artie Lange <> wrote:
    > Artie Lange wrote:
    >
    > >  From router A:

    >
    > > ip route 192.168.200.0/24 <IP of RouterB> ?

    >
    > Should be
    >
    > ip route 192.168.200.0/24 <IP router A that knows how to get to B>
    >
    > In that scenario, the VPN client would forward the packet to the router
    > A that in turn would have a route to router B....


    Hi guys i appreciate the quick answers :)

    However i would then need to make sure the client pool would not nat
    going from router A to router B?
    tweety, Jul 29, 2008
    #2
    1. Advertising

  3. tweety

    News Reader Guest

    tweety wrote:
    > On Jul 29, 8:48 pm, Artie Lange <> wrote:
    >> Artie Lange wrote:
    >>
    >>> From router A:
    >>> ip route 192.168.200.0/24 <IP of RouterB> ?

    >> Should be
    >>
    >> ip route 192.168.200.0/24 <IP router A that knows how to get to B>
    >>
    >> In that scenario, the VPN client would forward the packet to the router
    >> A that in turn would have a route to router B....

    >
    > Hi guys i appreciate the quick answers :)
    >
    > However i would then need to make sure the client pool would not nat
    > going from router A to router B?


    It sounds like the RAVPN and site-to-site VPN are terminated on the same
    interface of Router A.

    Since traffic between the RAVPN Client and Router B's internal network
    is not transiting from an "ip nat inside" to an " ip nat outside"
    interface on Router A, I don't see NAT as a concern on Router A.

    However, traffic returning from Router B's internal network to the RAVPN
    Client would need to be exempted from NAT on Router B.

    This traffic would also have to be included in the crypto ACLs of both
    routers.

    Best Regards,
    News Reader
    News Reader, Jul 29, 2008
    #3
  4. tweety

    tweety Guest

    On Jul 29, 9:17 pm, News Reader <> wrote:
    > tweety wrote:
    > > On Jul 29, 8:48 pm, Artie Lange <> wrote:
    > >> Artie Lange wrote:

    >
    > >>>  From router A:
    > >>> ip route 192.168.200.0/24 <IP of RouterB> ?
    > >> Should be

    >
    > >> ip route 192.168.200.0/24 <IP router A that knows how to get to B>

    >
    > >> In that scenario, the VPN client would forward the packet to the router
    > >> A that in turn would have a route to router B....

    >
    > > Hi guys i appreciate the quick answers :)

    >
    > > However i would then need to make sure the client pool would not nat
    > > going from router A to router B?

    >
    > It sounds like the RAVPN and site-to-site VPN are terminated on the same
    > interface of Router A.
    >
    > Since traffic between the RAVPN Client and Router B's internal network
    > is not transiting from an "ip nat inside" to an " ip nat outside"
    > interface on Router A, I don't see NAT as a concern on Router A.
    >
    > However, traffic returning from Router B's internal network to the RAVPN
    > Client would need to be exempted from NAT on Router B.
    >
    > This traffic would also have to be included in the crypto ACLs of both
    > routers.
    >
    > Best Regards,
    > News Reader- Hide quoted text -
    >
    > - Show quoted text -


    Yes it is a remote access vpn to one router, then i want that pool to
    be able to see a device at the other end of a site to site.

    Ahhh im beginning to follow you, thanks for the help, so do the static
    routes still apply?

    Is there any docs you could suggest, been trying to get some but my
    eyes are sore looking :)

    All the help is appreciated.
    tweety, Jul 29, 2008
    #4
  5. tweety

    News Reader Guest

    tweety wrote:

    >
    > Yes it is a remote access vpn to one router, then i want that pool to
    > be able to see a device at the other end of a site to site.
    >
    > Ahhh im beginning to follow you, thanks for the help, so do the static
    > routes still apply?


    Not sure they are necessary (in your scenario), given that you wouldn't
    have default routes pointing further into your LAN at either end. Some
    admins configure RAVPN Clients without split-tunneling, and successfully
    route client traffic to/from the Internet via the tunnel-termination
    interface.

    I would expect the traffic to match the crypto ACL as it is forwarded
    back out the external interface (due to your default route), and be
    forwarded to the crypto peer.

    However, I have not verified this.

    >
    > Is there any docs you could suggest, been trying to get some but my
    > eyes are sore looking :)


    I've not looked.

    >
    > All the help is appreciated.
    >


    You'd need to be sure that:

    - The external interface ACLs on the routers permits the correct
    encapsulated IP addresses (i.e.: include RAVPN pool addresses).

    e.g.:

    RAVPN pool addresses --> LAN B address space, on Router B
    RAVPN pool addresses <-- LAN B address space, on Router A

    - The internal interface ACL on Router B permits traffic from the
    internal address space to the RAVPN pool addresses.

    - If a split-tunneling ACL is configured for the RAVPN Client, that it
    includes LAN B address space, otherwise it won't be encapsulated.

    Best Regards,
    News Reader
    News Reader, Jul 30, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vigarv
    Replies:
    1
    Views:
    1,508
    Walter Roberson
    Aug 7, 2006
  2. pasatealinux
    Replies:
    1
    Views:
    2,011
    pasatealinux
    Dec 17, 2007
  3. tweety
    Replies:
    2
    Views:
    594
    desperado618
    Aug 3, 2008
  4. eostrike
    Replies:
    3
    Views:
    2,040
    eostrike
    Oct 24, 2008
  5. tom
    Replies:
    0
    Views:
    913
Loading...

Share This Page