Multiple VPNs on Cisco 837

aquillaaquilla Member Posts: 148 ■■■□□□□□□□
in CCNP
Hi,

This post isn't related to CCNP but I thought it would be best suited here due to its content. :)

We have two offices that have bog standard ADSL in them with a Cisco 837 router. Each office has a static IP and the router does NAT for the users at each office.

I would like to achieve the following abjectives without purchasing additional equipment (if possible).

i) Create a router-to-router VPN to link the offices;
ii) Allow mobile users to VPN in to access resources on the internal networks.

The first point I have managed to do - the link is up and I can ping devices at the other site. Is the router able to perform these functions together or am I going to have to purchase additional equipment?

Thanks in advance.
Regards,

CCNA R&S; CCNP R&S
· Share on FacebookShare on Twitter

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    You should be able to do both as far as I know, but not sure what kind of processor hit you would take with both.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • shednikshednik Member Posts: 2,005
    networker050184 wrote: »
    You should be able to do both as far as I know, but not sure what kind of processor hit you would take with both.


    Yes that should work just fine I just wouldn't want to have to many people VPN in on a smaller router such as that...with many tunnels terminating on a smaller router I can see that pegging quickly. If you have multiple IPs I would maybe invest in another router or a VPN concentrator but it depends on the number of remote users and what kind of internet link are you running this on?
    · Share on FacebookShare on Twitter
  • aquillaaquilla Member Posts: 148 ■■■□□□□□□□
    Hi Networker,

    Right after some further searching and reading on Cisco I have tried using VTI (Virtual Tunnel Interfaces). I have a tunnel interface setup on each router and can access devices on LAN at site 2 from site 1 :-

    Site 1 = 10.0.1.0 /24
    Site 2 = 10.0.0.0 /24

    C:\Users\Stuart>tracert 10.0.0.251

    Tracing route to 10.0.0.251 over a maximum of 30 hops

    1 1 ms 1 ms 1 ms 10.0.1.254
    2 55 ms 62 ms 61 ms 10.254.0.2
    3 60 ms 65 ms 66 ms 10.0.0.251

    Trace complete.

    This document on cisco.com helped alot:
    IPSec Virtual Tunnel Interface - Cisco Systems

    My next step is to get VPN access sorted for mobile users.
    Regards,

    CCNA R&S; CCNP R&S
    · Share on FacebookShare on Twitter
  • aquillaaquilla Member Posts: 148 ■■■□□□□□□□
    shednik wrote: »
    Yes that should work just fine I just wouldn't want to have to many people VPN in on a smaller router such as that...with many tunnels terminating on a smaller router I can see that pegging quickly. If you have multiple IPs I would maybe invest in another router or a VPN concentrator but it depends on the number of remote users and what kind of internet link are you running this on?

    Hi,

    The offices are small (less than six at each site) hence the basic connection and routers. There will only be a couple of people VPN'ing in at most.
    Regards,

    CCNA R&S; CCNP R&S
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    To allow the VPN clients to connect you can just set up an "easy" VPN server.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • aquillaaquilla Member Posts: 148 ■■■□□□□□□□
    networker050184 wrote: »
    To allow the VPN clients to connect you can just set up an "easy" VPN server.

    Hi Networker,

    Something I am about to look at now.

    Thanks,
    Regards,

    CCNA R&S; CCNP R&S
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    Check this link out as well to create isakmp profiles to distinguish your site-to-site and remote vpn connections

    ISAKMP Profile Overview [Cisco IOS IPsec] - Cisco Systems
    · Share on FacebookShare on Twitter
  • Panzer919Panzer919 Member Posts: 462
    This is what i use to create EZVPN links


    conf t
    crypto ipsec client ezvpn (Company Name)
    connect auto
    group EzVPN key EzVPN
    local-address loopback0
    mode network-extension (or Client)
    peer (IP Address of EzVPN server)
    ip dhcp pool dhcpPool
    network 192.168.0.0 255.255.255.0
    dns-server 24.29.1.218 24.29.1.219
    default-router 192.168.0.1
    lease 0 16
    exit
    ip dhcp excluded-address 192.168.0.1
    interface loopback 0
    ip address (Public IP Address) 255.255.255.255
    interface Ethernet 0
    ip address 192.168.0.1 255.255.255.0
    crypto ipsec client ezvpn (Name) inside
    interface (outgoing int)
    crypto ipsec client ezvpn (Name)
    exit
    router rip <-- or what ever you are using
    passive-interface loopback0
    passive-interface ethernet0
    distribute-list 50 out (outgoing int) 0
    exit
    access-list 50 permit (Public IP Address) 0.0.0.0
    exit
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
    · Share on FacebookShare on Twitter
  • aquillaaquilla Member Posts: 148 ■■■□□□□□□□
    Hi Guys,

    Just wanted to thanks for the help guys. Now have everything up and running. :)
    Regards,

    CCNA R&S; CCNP R&S
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    what did you final solution look like?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.