02-03-2006 03:59 AM - edited 03-03-2019 11:38 AM
Hello. Sorry for my pity english but i need your help you. I have a cisco 1721 dsl with rfc 1483. The interface ATM0.1 has a IP Public Address. The cisco is configured to have remote access with the client vpn of cisco. The problem is when i connect with the client without split tunneling i have full access to my network, although i dont have access to internet trought mi ip public address. I have read about nat on stick in cisco documentation (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml) but i dont know how implement this case in my router.
Solved! Go to Solution.
02-04-2006 07:07 AM
Hmm OK.
Try and make your acl 101 look like this:
access-list 101 permit ip host 192.168.1.1 any log
access-list 101 permit ip any host 192.168.1.1 log
And what is this?
! acl 150 ##### ACCESS-LIST FOR SPLIT TUNNELING #####
save-password
include-local-lan
Are you sure you need that?
Then add the following line to acl 100
access-list 100 permit ip host 192.168.1.1 any
How about now, is it working?
Are there any matches on acl 100 and 101?
And how about that sh ip nat trans | inc 150.214.20.1?
02-03-2006 04:34 AM
Please look (again) at then following:
http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bd6.pdf
Noticed that you used acl nr 150, just as in the example. This might be a coincidence or you probably already saw the document. I think it describes pretty much what want to achieve.
Otherwise you may find more info at:
http://www.cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html
Regards,
Leo
02-03-2006 04:48 AM
Thanks Leo for your reply. You must understand that my idea is to go out trought internet with the ip public of cisco 1721. The split tunneling is commented in my attachments message if you have see it!. I know that its is posible do it with nat on stick but i dont konw how do it! Thanks :) and regards
02-03-2006 05:00 AM
I might not have gotten your point but now I think I understand that you want to make a connection to the router (presumably over the Internet) with the vpn client, and that you want to access the Internet using the 1721 as next hop? It would be as if you were on the inside of the router? Is that correct?
Regards,
Leo
02-03-2006 01:13 PM
Hello again! Exacly Leo, I want to connecte as if I was inside of the router. If you have saw my first config, you can observ the configuration PPTP. If you connnect to the cisco 1721 with pptp client you will have full access to my lan and you will have internet access from my ip public address.
Thanks :)
02-03-2006 08:59 AM
I take it you have the VPN client and firewall features running OK.
I have an example where 192.168.0.0/24 is the inside addresses and 192.168.1.0/24 are the VPN client addresses.
!
interface Loopback0
description Interface for VPN NAT
ip address 10.0.1.1 255.255.255.252
ip nat inside
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address dhcp
ip nat outside
ip policy route-map Nat-loop
!
ip local pool ourpool 192.168.1.1 192.168.1.254
ip nat inside source route-map Ethernet1 interface Ethernet1 overload
!
!
access-list 102 remark ** For VPN NAT loop **
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 remark *** For VPN NAT loop ***
access-list 105 remark ** For NAT overload **
access-list 105 deny ip any 192.168.0.0 0.0.255.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
access-list 105 remark *** For NAT overload ***
!
route-map Ethernet1 permit 10
match ip address 105
match interface Ethernet1
!
route-map Nat-loop permit 10
match ip address 102
set ip next-hop 10.0.1.2
!
So try and add
access-list 101 permit ip any host 192.168.1.1 log.
And change the route-map to this:
route-map vpn permit 10
match ip address 101
set ip next-hop 172.24.1.2
Please let me know what you think.
02-03-2006 01:05 PM
Hello tekna, thanks for your message. I have just saw and i dont understand why in the route-map vpn you put "set ip next-hop 172.24.1.2" Why is this ip address? this Ip address is not declare in any the interface loopback.
I have make the follow:
interface Loopback1
ip address 172.24.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.26.1.0 0.0.0.255
access-list 101 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.1.0 0.0.0.255
!
route-map vpn permit 10
match ip address 101
set ip next-hop 172.24.1.2
When i have make this changes, and i have connected with my vpn client i cant access to internet yet. However i can see in show route-map vpn how the packets arrive.
Router#show route-map
route-map vpn, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 172.24.1.1
Policy routing matches: 444 packets, 41375 bytes
02-04-2006 03:56 AM
The 172.24.1.2 IP is the "next-hop" of the Loopback1 interface. Don't worry it's supposed to look strange.
int the show route-map vpn, you are supposed to have this:
Set clauses:
ip next-hop 172.24.1.2
And what is this:
ip local policy route-map vpn?!? Please remove that.
Once you have connected the VPN client, please try a ping -t to some host on the Internet, and check the nat table (sh ip nat trans) looking for that host.
02-04-2006 06:55 AM
Hello again. I have to make bad something becuase when i have connected to the router and i make ping -t to 150.214.20.1 (GRANADA UNIVERSTIY OF SPAIN) there is not connection.
This is de configuracion now:
Router#show run
Building configuration...
Current configuration : 3966 bytes
!
username XXXX privilege 15 password 7 XXXXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login vpn local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip ips po max-events 100
vpdn enable
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group casa
key 6 kike
dns 80.58.32.97
domain lasgabias
pool vpnpool
! acl 150 ##### ACCESS-LIST FOR SPLIT TUNNELING #####
save-password
include-local-lan
crypto isakmp profile vpnclient
match identity group casa
client authentication list vpn
isakmp authorization list vpn
client configuration address respond
!
!
crypto ipsec transform-set ENCRIPTA esp-3des esp-sha-hmac
!
crypto dynamic-map casa-dynamic 10
set transform-set ENCRIPTA
set isakmp-profile vpnclient
!
!
crypto map vpn 10 ipsec-isakmp dynamic casa-dynamic
!
!
!
interface Loopback0
ip address 172.25.1.1 255.255.0.0
no ip proxy-arp
!
interface Loopback1
ip address 172.24.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 1024
ip address XXX.XXX.XXX.XXXX 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip policy route-map vpn
crypto map vpn
pvc 8/32
encapsulation aal5snap
max-reserved-bandwidth 100
!
interface FastEthernet0
ip address 172.26.1.1 255.255.255.0
ip helper-address 172.24.96.12
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
!
ip local pool vpnpool 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
ip nat inside source list 100 interface ATM0.1 overload
!
!
!
access-list 100 remark ### FOR LAN - NAT OVERLOAD ###
access-list 100 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 172.25.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 172.24.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.26.1.0 0.0.0.255 any
access-list 100 permit ip 172.25.1.0 0.0.0.255 any
access-list 100 permit ip 172.24.1.0 0.0.0.255 any
access-list 101 remark #### FOR VPN CLIENT NAT ####
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.26.1.0 0.0.0.255
access-list 101 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 150 remark ### FOR SPLIT TUNNELING ###
access-list 150 permit ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 172.25.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 172.24.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map vpn permit 10
match ip address 101
set ip next-hop 172.24.1.2
!
!
control-plane
!
!
line con 0
password xxxx
speed 115200
line aux 0
line vty 0 4
privilege level 15
password 7 XXXX
transport input telnet ssh
!
ntp clock-period 17180035
end
###### THIS DE SHOW ROUTE-MAP when i have connected with de client
route-map vpn, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 172.24.1.2
Policy routing matches: 64 packets, 5322 bytes
####### AND THIS IS THE SHOW IP NAT TRANSLATIONS
Router#show ip nat translations include | 150.214.20.1
Router# .... nothing!
Thanks for all replies! :---)
02-04-2006 07:07 AM
Hmm OK.
Try and make your acl 101 look like this:
access-list 101 permit ip host 192.168.1.1 any log
access-list 101 permit ip any host 192.168.1.1 log
And what is this?
! acl 150 ##### ACCESS-LIST FOR SPLIT TUNNELING #####
save-password
include-local-lan
Are you sure you need that?
Then add the following line to acl 100
access-list 100 permit ip host 192.168.1.1 any
How about now, is it working?
Are there any matches on acl 100 and 101?
And how about that sh ip nat trans | inc 150.214.20.1?
02-04-2006 10:46 AM
Hello Tekna :) thanks for all you help!. I have added access-list 100 permit ip host 192.168.1.1 any for the nat then i have access to internet with my vpn client.
Thanks :)
Please best regards from Spain.
Take care
02-04-2006 01:16 PM
You are welcome, happy to have helped.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: