cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
0
Helpful
2
Replies

EZVPN public internet split tunnel with dialer interface

verdouw
Level 1
Level 1

I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.

 

So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.  

So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.

 

Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.

 

I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.

http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html 

 

And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site.  I also have a home server on the network that is reached so I can definitly reach into the network at home which is  the test for the corporate network I am trying to reach.

Its a cisco 870 router and here is the config

 

Router#sh run
Building configuration...

Current configuration : 4617 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 *************************
enable password *************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
!
ip dhcp pool myDhcp
   network 192.168.1.0 255.255.255.0
   dns-server 139.130.4.4 
   default-router 192.168.1.1 
!
!
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
!
!
!
!
username ************************* privilege 15 password 0 *************************

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group HomeFull
 key *************************
 dns 8.8.8.8 8.8.8.4
 pool SDM_POOL_1
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group HomeFull
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 1740
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000 
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback10
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description TimsInternet
 ip flow ingress
 ip policy route-map VPN-Client
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template3 type tunnel
 ip unnumbered Dialer3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1372
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer0
 no ip address
!
interface Dialer3
 ip address negotiated
 ip access-group blockall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression
 ip policy route-map VPN-Client
 no ip mroute-cache
 dialer pool 3
 dialer-group 1
 no cdp enable
 ppp chap hostname *************************@direct.telstra.net
 ppp chap password 0 *************************
!
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 101 interface Dialer3 overload
!
ip access-list extended VPN-OUT
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
 remark CCP_ACL Category=17
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit esp any any
 permit ahp any any
 permit tcp any any eq 10000
 deny   ip any any
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
route-map VPN-Client permit 10
 match ip address VPN-OUT
 set ip next-hop 10.0.0.2
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password cisco
!
scheduler max-task-time 5000
end

Router#exit
Connection closed by foreign host.

2 Replies 2

Hello.

I see you Virtual template interface is not enabled for NAT. So, NAT is not provided for spokes.

After you fix NAT, you will face an issue with CBAC, as traffic came from spokes is not inspected (ZBFW?)

Thanks for the response.

Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client.  The policy route map makes the L10 the next hop and it has NAT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: