01-21-2014 04:20 AM - edited 03-04-2019 10:07 PM
Hello,
I am trying to do the following:
I get the VPN established, but cant access internet from my client.
I want to get my public IP on the remote client.
Thanks any help. Have been trying for many hours, failing - so might be some configruation missing og missplaced.
Altibox#sh run
Building configuration...
Current configuration : 4641 bytes
!
! Last configuration change at 11:38:13 UTC Tue Jan 21 2014 by xxxxx
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Altibox
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 4 uL3ahII.qXcmuiG8zcrkZkgNezrXtDCZ.UPBVEbygK2
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization network default local
aaa authorization network VPNGROUP local
!
!
aaa session-id common
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.15
!
ip dhcp pool LAN
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
domain-name xxxx
dns-server x.x.x.3 x.x.x.53
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
license udi pid C892FSP-K9 sn FCZ173992BG
!
!
username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxx
username VPN password 0 vpn
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 3600
crypto isakmp client configuration address-pool local vpnpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group VPNGROUP
key xxxx
domain xxxx
pool vpnpool
acl 144
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list userlist
crypto map dynmap isakmp authorization list VPNGROUP
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet9
description *** Outside ***
ip address dhcp
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description *** LAN ***
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat inside
ip virtual-reassembly in max-reassemblies 64
!
ip local pool vpnpool 10.0.1.10 10.0.1.15
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source static tcp 10.0.0.200 80 interface GigabitEthernet9 80
ip nat inside source static tcp 10.0.0.5 8081 interface GigabitEthernet9 8081
ip nat inside source static tcp 10.0.0.5 8080 interface GigabitEthernet9 8080
ip nat inside source static udp 10.0.0.5 8080 interface GigabitEthernet9 8080
ip nat inside source static tcp 10.0.0.253 5002 interface GigabitEthernet9 5002
ip nat inside source static tcp 10.0.0.254 5001 interface GigabitEthernet9 5001
ip nat inside source static tcp 10.0.0.5 1554 interface GigabitEthernet9 1554
ip nat inside source static tcp 10.0.0.5 3389 interface GigabitEthernet9 3389
ip nat inside source static tcp 10.0.0.3 3000 interface GigabitEthernet9 3000
ip nat inside source static tcp 10.0.0.190 3389 interface GigabitEthernet9 4000
ip nat inside source static tcp 10.0.0.3 5000 interface GigabitEthernet9 5000
ip nat inside source static tcp 10.0.0.3 32400 interface GigabitEthernet9 32400
ip nat inside source list 101 interface GigabitEthernet9 overload
ip nat inside source list vpnpool interface GigabitEthernet9 overload
ip route 0.0.0.0 255.255.255.0 xxxxxxxxx
ip route 10.0.1.0 255.255.255.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.0.1.2
!
access-list 101 permit ip any any
access-list 101 deny ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
access-list 144 permit ip 10.0.1.0 0.0.0.255 any
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
logging synchronous
transport input all
!
scheduler allocate 20000 1000
!
end
01-21-2014 05:38 PM
It's been a while but I don't believe the IPSec client allows split tunnel.
Sent from Cisco Technical Support iPad App
01-22-2014 09:18 AM
Hello.
Are you trying to access Internet from Client via local (client's ) IP-address, or using NAT on the router?
If using local IP-address, could you please show trace from client to any Internet resource?
You configuration says, that interesting traffic is ACL 144. It's used to build "static" routes on the client.
So, you need to extend the ACL.
But I see you are using the same ACL for PBR on outside interface... not sure why do you need this.
At the same time I'm not sure if your current NAT configuration will be able to receive traffic on G9 (encrypted from client) and NAT into the same interface.
So, to achieve you goal I would suggest to reconfigure EzVPN with DVTI.
PS: why do you route 10.0.1.0/24 over VL1?
PS2: I see no ACL applied on G9 - have you omitted it only here, or just missed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide