Hi Steven. This is how I configure IOS Routers for the type of VPN you are speaking of:
[Router A] crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key $pre-share-key$ address 212.43.231.65 ! ! crypto ipsec transform-set transformset-1 esp-des esp-md5-hmac ! crypto map crypto-map local-address BRI0 crypto map crypto-map 10 ipsec-isakmp set peer 212.43.231.65 set transform-set transformset-1 match address 100 ! E0 Ip address 10.1.0.1/24 Ip nat inside ! BRI0 or Dialer1 Ip address 194.222.124.232/? Ip access-group 102 in Ip nat outside crypto map crypto-map ! ip nat pool C2500-A-natpool 194.222.124.232 194.222.124.233 netmask 255.255.255.? ip nat inside source route-map nonat pool C2500-A-natpool overload ip classless ip route 0.0.0.0 0.0.0.0 BRI0 no ip http server ! ! access-list 100 permit ip 10.1.0.0 0.0.0.255 10.254.0.0 0.0.0.255 access-list 101 deny ip 10.1.0.0 0.0.0.255 10.254.0.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.0.255 any access-list 102 permit udp host 212.43.231.65 eq isakmp host 194.222.124.232 access-list 102 permit ahp host 212.43.231.65 host 194.222.124.232 access-list 102 permit esp host 212.43.231.65 host 194.222.124.232 access-list 102 permit icmp any any # For Ping testing... remove or rewrite after testing implementation. dialer-list 1 protocol ip permit ! route-map nonat permit 10 match ip address 101 ---------------------------------------------------------------------- ... and just invert the source and destination addresses in the access lists and crypto-map peer for the other router. The trick is the Route-Map. This is what allows VPN tunnel traffic at the same time as each respective LAN surfing the net from their Internet Router. HTH's -Mark -----Original Message----- From: Steven Greeno [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 21, 2002 8:48 AM To: [EMAIL PROTECTED] Subject: VPN Nightmare [7:53796] hi I would love some help with this vpn problem I am having here is the situation I am trying to create: I have 2 2503s with appropriate ios images, 2500-1 has a 10.1.0.0 network attached to ethernet0 and the bri isdn port connects it to the internet with a static IP of 194.222.124.232 this interface connects 2500-1 to the internet and Nat is run to allow access from the 10.1 network to the internet. the second router is configured simply it is called 2500-2 and has an e0 interface on 10.254.0.0 and a dialer1 interface to the internet on IP 212.43.231.65 and Nat to allow 10.254.0.0 to the internet the difficulty I am having is getting I vpn link set up to connect the 10.1 and 10.254 networks for the users but keeping internet access from each sights respective router I have looked on TAC and found some sample configs to set up Des links between sights but I cant work out how to keep the access to the internet I hope this is easy to understand I appreciate any help anyone can offer regards Steven Greeno Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53849&t=53796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]