03-10-2014 05:58 AM - edited 03-04-2019 10:32 PM
Dear members please see my lab config below, your input would be much appreciated, database-server is moving to amazon and which only accepts connections from HQ, I’ve got users vpn users dialling in HQ (split tunnelling) and I’d like this to stay this way.
How do i achieve to have traffic to server A (in public network) to go through vpn tunnel?
LAB#
LAB#
LAB#
LAB#sh run
Building configuration...
Current configuration : 2670 bytes
!
! Last configuration change at 12:11:03 UTC Mon Mar 10 2014
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAB
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
ip dhcp pool main
network 10.10.10.0 255.255.255.0
default-router 10.10.10.10
dns-server 8.8.8.8
lease 7
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ15269010
!
!
username admin privilege 15 secret 5 $1$ny10$Djfl2m6Pm.uORGCH5eFMy/
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNUSERS
key LNADMIN
pool SDM_POOL_1
acl 101
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNUSERS
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 172.16.16.16 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 20
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address xx.xx.217.195 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
ip local pool SDM_POOL_1 192.168.100.0 192.168.100.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Vlan20 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.217.193
!
logging esm config
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 208.64.38.0 0.0.0.255 any
access-list 101 permit ip 190.93.249.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
end
LAB#
Solved! Go to Solution.
03-10-2014 06:58 AM
There are a couple of config-changes to do:
First, the Server-traffic has to be included into your SPLIT-ACL:
access-list 101 permit ip host A.B.C.D any
Then, the VPN-traffic has to be sent back to the internet with NAT:
access-list 1 permit 192.168.100.0 0.0.0.127
interface Virtual-Template1 type tunnel
ip nat inside
03-10-2014 06:58 AM
There are a couple of config-changes to do:
First, the Server-traffic has to be included into your SPLIT-ACL:
access-list 101 permit ip host A.B.C.D any
Then, the VPN-traffic has to be sent back to the internet with NAT:
access-list 1 permit 192.168.100.0 0.0.0.127
interface Virtual-Template1 type tunnel
ip nat inside
03-10-2014 07:46 AM
Thanks a lot Karsten :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide