EZVPN public internet split tunnel with dialer interface
I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run Building configuration...
Current configuration : 4617 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 ************************* enable password ************************* ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! aaa session-id common ! ! dot11 syslog ip source-route ip dhcp excluded-address 192.168.1.1 ip dhcp excluded-address 192.168.1.2 ip dhcp excluded-address 192.168.1.3 ip dhcp excluded-address 192.168.1.4 ip dhcp excluded-address 192.168.1.5 ip dhcp excluded-address 192.168.1.6 ip dhcp excluded-address 192.168.1.7 ip dhcp excluded-address 192.168.1.8 ip dhcp excluded-address 192.168.1.9 ip dhcp excluded-address 192.168.1.111 ! ip dhcp pool myDhcp network 192.168.1.0 255.255.255.0 dns-server 22.214.171.124 default-router 192.168.1.1 ! ! ip cef ip inspect name myfw http ip inspect name myfw https ip inspect name myfw pop3 ip inspect name myfw esmtp ip inspect name myfw imap ip inspect name myfw ssh ip inspect name myfw dns ip inspect name myfw ftp ip inspect name myfw icmp ip inspect name myfw h323 ip inspect name myfw udp ip inspect name myfw realaudio ip inspect name myfw tftp ip inspect name myfw vdolive ip inspect name myfw streamworks ip inspect name myfw rcmd ip inspect name myfw isakmp ip inspect name myfw tcp ip name-server 126.96.36.199 ! ! ! ! username ************************* privilege 15 password 0 ************************* ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group HomeFull key ************************* dns 188.8.131.52 184.108.40.206 pool SDM_POOL_1 include-local-lan netmask 255.255.255.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group HomeFull client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 3 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 1740 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! crypto ctcp port 10000 archive log config hidekeys ! ! ! ! ! interface Loopback10 ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive ! interface ATM0.1 point-to-point description TimsInternet ip flow ingress ip policy route-map VPN-Client pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 3 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template3 type tunnel ip unnumbered Dialer3 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip inspect myfw in ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache ip tcp adjust-mss 1372 no ip mroute-cache hold-queue 100 out ! interface Dialer0 no ip address ! interface Dialer3 ip address negotiated ip access-group blockall in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip flow ingress ip nat outside ip virtual-reassembly encapsulation ppp ip tcp header-compression ip policy route-map VPN-Client no ip mroute-cache dialer pool 3 dialer-group 1 no cdp enable ppp chap hostname *************************@direct.telstra.net ppp chap password 0 ************************* ! ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer3 ip http server ip http authentication local no ip http secure-server ! ip nat inside source list 101 interface Dialer3 overload ! ip access-list extended VPN-OUT permit ip 10.0.0.0 0.0.0.255 any ip access-list extended blockall remark CCP_ACL Category=17 permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit ahp any any permit tcp any any eq 10000 deny ip any any ! access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 10.0.0.0 0.0.0.255 any dialer-list 1 protocol ip permit ! ! ! route-map VPN-Client permit 10 match ip address VPN-OUT set ip next-hop 10.0.0.2 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password cisco ! scheduler max-task-time 5000 end
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT.
Do you use Cisco DNA Center? Have you used and are you willing to provide your feedback in using the Cisco DNA Center help and documentation?
If so, we’d like you to complete the survey linked below. Your feedback will help provide more effective and easi...
Listen: https://smarturl.it/CCRS9E18Follow us: https://twitter.com/CiscoChampion Reaching the height of your career is no simple feat. It often requires a combination of pursuing the right education, building the right professional network and being ...
In a typical production SD-WAN deployment, we would probably have many remote sites connected via many different Internet connections to a centralized data center or a regional hub. In most regions in the world, Internet providers will always use some typ...