Here's my situation. I have a Cisco 2520 at my office and a Cisco 806 at another. I've enabled tunneling so that the 806 will send it's traffic over to my Cisco 2520 and then out the Internet. What I need to do is get all the traffic to hit the 2520's external interface and then be forced inside so that our SurfControl server can sniff and filter if necessary. Then I need the traffic sent back out to the Internet (if it's not filtered by SurfControl) and serviced by whatever the host was requesting (webpage, ftp, etc). Here are the two configs, if you need to see them. I'm not sure if this is possible, but I was thinking it could be done due to knowing how Cisco routers have endless possibilities.
Mesa Cisco 806 Config
Admin Cisco 2520's Config
thanks
baldhead
Mesa Cisco 806 Config
Code:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mesa
!
enable secret 5 **************
!
ip subnet-zero
!
ip ssh time-out 20
ip ssh source-interface Ethernet1
ip ssh rsa keypair-name mesaclub
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
!Going to Admin 2520's External IP
crypto isakmp key xxxxxx address 208.x.x.x 255.255.255.0
!
!
crypto ipsec transform-set Admin esp-3des esp-md5-hmac
!
crypto map Admin 100 ipsec-isakmp
set peer 208.x.x.x
set transform-set Admin
match address 100
!
!
!
!
interface Tunnel0
ip address 10.1.2.2 255.255.255.0
keepalive 32767 3
tunnel source Ethernet1
! Admin 2520's External IP
tunnel destination 208.x.x.x
!
interface Ethernet0
ip address 192.168.80.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 100 out
!
interface Ethernet1
ip address 216.x.x.x 255.255.255.0
ip nat outside
no cdp enable
!
ip nat inside source list 1 interface Ethernet1 overload
! Port Forwarding Remote Desktop
ip nat inside source static tcp 192.168.80.2 3389 216.x.x.x 3389 extendable
ip classless
! Ethernet 0/1's Gateway
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip route 192.168.0.0 255.255.255.0 10.1.2.1
no ip http server
!
!
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
no cdp run
!
line con 0
password 7 xxxxxxxxxxxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login
!
scheduler max-task-time 5000
end
Admin Cisco 2520's Config
Code:
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Admin2600
!
enable secret 5 ****************
!
!
!
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
! Going to Mesa's 806 External IP
crypto isakmp key xxxxxx address 216.x.x.x
!
!
crypto ipsec transform-set Admin esp-3des esp-md5-hmac
!
!
crypto map Admin 100 ipsec-isakmp
set peer 216.x.x.x
set transform-set Admin
match address 100
!
!
!
!
!
!
interface Tunnel0
ip address 10.1.2.1 255.255.255.0
tunnel source Ethernet0/1
! Mesa 806's External IP
tunnel destination 216.x.x.x
!
interface Ethernet0/0
ip address 192.168.0.6 255.255.255.0
ip nat inside
!
interface Ethernet0/1
ip address 208.x.x.x 255.255.255.0
ip nat outside
!
ip nat inside source list 1 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.0.7 3389 208.x.x.x 3389 extendable
ip classless
! Description Ethernet 0/1's Gateway
ip route 0.0.0.0 0.0.0.0 208.x.x.x
ip route 192.168.80.0 255.255.255.0 10.1.2.2
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password 7 ***************
login
!
end
thanks
baldhead