Re: experiment with VPN [7:20482]
- Original Message - From: "pat" To: Sent: Wednesday, September 19, 2001 7:35 PM Subject: experiment with VPN [7:20482] > I have following VPN setup. > > > > R1 (E0=10.1.1.1/24 & S0=63.211.144.52/24) > LAN1=10.1.1.0/24 > > R2 (E0=10.1.2.1/24 & S0=63.211.154.52/24) > LAN2=10.1.2.0/24 > > R3 (E0=10.1.3.1/24 & S0=63.211.164.52/24) > LAN3=10.1.3.0/24 > > R1 > /\ > / \ >/\ > / \ > R2 R3 > > > > R1, R2, R3 connect to internet. Each have ip route > 0.0.0.0 0.0.0.0 serial 0. > LAN machines sitting on Ethernet of each router with > 10. IPs connect to internet with router doing NAT. > > I am planning to setup site-site VPN between routers > R1R2 & R1R3. > > Now LAN2 can talk to LAN1 & LAN3 can talk to LAN1. > > My question is, is it possible to make LAN2 talk to > LAN3 without having > tunnel between R2 & R3. > > I want to to this by routing through R1. Is it > possible ? Has anybody done this ? If yes how ? > 1. yes, it's possible. 2. yes, I've done it 3. by a. setting your crypto access list on R1 to encrypt both LAN1 and LAN2 traffic to R3, and LAN1 and LAN3 traffic to R2. b. making sure that your routing is set up properly so that LAN2 traffic to LAN3 is routed via R1 and vice versa. also see http://www.cisco.com/warp/public/707/ios_hub-spoke.html > Thanks, > pat > > > __ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20498&t=20482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: experiment with VPN [7:20482]
Louie, I wonder how you can do this !!! IPSec requires mirror image of access-list on either side. But the way you are suggesting, we can't have mirror image of access-lists --- EA Louie wrote: > - Original Message - > From: "pat" > To: > Sent: Wednesday, September 19, 2001 7:35 PM > Subject: experiment with VPN [7:20482] > > > > I have following VPN setup. > > > > > > > > R1 (E0=10.1.1.1/24 & S0=63.211.144.52/24) > > LAN1=10.1.1.0/24 > > > > R2 (E0=10.1.2.1/24 & S0=63.211.154.52/24) > > LAN2=10.1.2.0/24 > > > > R3 (E0=10.1.3.1/24 & S0=63.211.164.52/24) > > LAN3=10.1.3.0/24 > > > > R1 > > /\ > > / \ > >/\ > > / \ > > R2 R3 > > > > > > > > R1, R2, R3 connect to internet. Each have ip route > > 0.0.0.0 0.0.0.0 serial 0. > > LAN machines sitting on Ethernet of each router > with > > 10. IPs connect to internet with router doing NAT. > > > > I am planning to setup site-site VPN between > routers > > R1R2 & R1R3. > > > > Now LAN2 can talk to LAN1 & LAN3 can talk to LAN1. > > > > My question is, is it possible to make LAN2 talk > to > > LAN3 without having > > tunnel between R2 & R3. > > > > I want to to this by routing through R1. Is it > > possible ? Has anybody done this ? If yes how ? > > > 1. yes, it's possible. > 2. yes, I've done it > 3. by >a. setting your crypto access list on R1 to > encrypt both LAN1 and LAN2 > traffic to R3, and LAN1 and LAN3 traffic to R2. >b. making sure that your routing is set up > properly so that LAN2 traffic > to LAN3 is routed via R1 and vice versa. > > also see > http://www.cisco.com/warp/public/707/ios_hub-spoke.html > > > Thanks, > > pat > > > > > > __ > > Terrorist Attacks on U.S. - How can you help? > > Donate cash, emergency relief information > > > http://dailynews.yahoo.com/fc/US/Emergency_Information/ > [EMAIL PROTECTED] > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at > http://mail.yahoo.com > __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20619&t=20482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: experiment with VPN [7:20482]
sure you can, you just have to think 'bigger subnets' access-list 101 permit ip 10.1.0.0 0.0.3.255 10.1.0.0 0.0.3.255 Now tell me that you can't mirror that access list... Your crypto maps will be different (different next-hop addresses), so using the same access-list for both really is not a problem (although if you wanted to, you could create two on R1, just in case the requirement ever changed) - Original Message - From: "pat" To: "EA Louie" Cc: Sent: Thursday, September 20, 2001 3:41 PM Subject: Re: experiment with VPN [7:20482] > Louie, > > > I wonder how you can do this !!! > > IPSec requires mirror image of access-list on either > side. But the way you are suggesting, we can't have > mirror image of access-lists > > > > --- EA Louie wrote: > > - Original Message - > > From: "pat" > > To: > > Sent: Wednesday, September 19, 2001 7:35 PM > > Subject: experiment with VPN [7:20482] > > > > > > > I have following VPN setup. > > > > > > > > > > > > R1 (E0=10.1.1.1/24 & S0=63.211.144.52/24) > > > LAN1=10.1.1.0/24 > > > > > > R2 (E0=10.1.2.1/24 & S0=63.211.154.52/24) > > > LAN2=10.1.2.0/24 > > > > > > R3 (E0=10.1.3.1/24 & S0=63.211.164.52/24) > > > LAN3=10.1.3.0/24 > > > > > > R1 > > > /\ > > > / \ > > >/\ > > > / \ > > > R2 R3 > > > > > > > > > > > > R1, R2, R3 connect to internet. Each have ip route > > > 0.0.0.0 0.0.0.0 serial 0. > > > LAN machines sitting on Ethernet of each router > > with > > > 10. IPs connect to internet with router doing NAT. > > > > > > I am planning to setup site-site VPN between > > routers > > > R1R2 & R1R3. > > > > > > Now LAN2 can talk to LAN1 & LAN3 can talk to LAN1. > > > > > > My question is, is it possible to make LAN2 talk > > to > > > LAN3 without having > > > tunnel between R2 & R3. > > > > > > I want to to this by routing through R1. Is it > > > possible ? Has anybody done this ? If yes how ? > > > > > 1. yes, it's possible. > > 2. yes, I've done it > > 3. by > >a. setting your crypto access list on R1 to > > encrypt both LAN1 and LAN2 > > traffic to R3, and LAN1 and LAN3 traffic to R2. > >b. making sure that your routing is set up > > properly so that LAN2 traffic > > to LAN3 is routed via R1 and vice versa. > > > > also see > > > http://www.cisco.com/warp/public/707/ios_hub-spoke.html > > > > > Thanks, > > > pat > > > > > > > > > __ > > > Terrorist Attacks on U.S. - How can you help? > > > Donate cash, emergency relief information > > > > > > http://dailynews.yahoo.com/fc/US/Emergency_Information/ > > [EMAIL PROTECTED] > > > > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at > > http://mail.yahoo.com > > > > > __ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20620&t=20482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
