cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1232
Views
0
Helpful
8
Replies

I could really use a second set of eyes on this VPN config. :)

trevorgeorgia
Level 1
Level 1

Hi all,

I am attempting to setup a client -> server VPN using IOS 12.4, and Cisco Client 5.x. At this point, the client does connect, however, I cannot ping, or send / receive data over the VPN.  I am initially attempting a split-tunnel config, as they seem easier.  Ideally, the client would route *all* data over the VPN including that which is destined for the public network in the interest of safe browsing remotely.  However, I haven't got that far yet. 

Currently, I have a network setup as:

FastEthernet0/0 - Public network via DHCP from ISP.

FastEthernet0/1 - Internal network on the 192.168.1.0 /24 network.

I currently have a NAT overload on FastEthernet0/0 so that internal hosts can browse the Internet.  As mentioned, I would also like to have remote VPN hosts browse the Internet via this same overload.

Below is my config in full with some parts redacted.  Please let me know what I am doing wrong for this split-tunnel setup, and any suggestions to get this working in a non-split-tunnel way would be great.  I have been working on this for 2 days, and all the tutorials and guides I've read do not seem to work for me.

Thanks!

Trevor

--------------------------------------

!

! Last configuration change at 23:06:48 EDT Fri Apr 27 2012 by trevor

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec+

no service password-encryption

!

hostname myrouter

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 sometextsometextsometext

enable password somepassword

!

aaa new-model

aaa authentication login userauth local

aaa authorization network groupauth local

!

username vpnuser password 0 vpnpassword

!

!

clock timezone EST -5

clock summer-time EDT recurring

!

ip name-server 4.2.2.2

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! needed to enable resolutiion of the URLs in the update config commands

!

ip domain lookup

!

!

ip ddns update method mydomain_update

  http

   add http://login:password@members.dyndns.org/nic/update?hostname=mydomain.dyndns.org&myip=password@members.dyndns.org/nic/update?hostname=mydomain.dyndns.org&myip=<a>

  interval maximum 0 0 1440 0

  interval minimum 0 0 1440 0

!

!

! Applying update method to interface

!

!interface FastEthernet0/0

!  ip ddns update mydomain_update

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!

ip domain name mydomain.dyndns.org

!

!

username user privilege 15 secret 5 sometextsometextsometext

!

!

interface FastEthernet0/0

description *** Outside ***

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn-map

ip ddns update mydomain_update

!

!

interface FastEthernet0/1

description *** Inside ***

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Loopback0

description VPN

ip address 10.1.254.1 255.255.255.240

!

!

crypto isakmp policy 1

encryption aes

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key vpnpassword

dns 4.2.2.2 4.2.2.1

domain mydomain.dyndns.org

pool vpnpool

acl 101

!

crypto ipsec transform-set vpn esp-aes esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set vpn

reverse-route

!

crypto map vpn-map client authentication list userauth

crypto map vpn-map isakmp authorization list groupauth

crypto map vpn-map client configuration address respond

crypto map vpn-map 10 ipsec-isakmp dynamic dynmap

!

!

ip nat inside source list 10 interface FastEthernet0/0 overload

!

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255

!

!

!

ip local pool vpnpool 10.1.254.2 10.1.254.14

!

!radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key cisco

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

!

ntp clock-period 17208002

ntp server 142.137.247.109

!

end

--------------------------------------

8 Replies 8

andrew.prince
Level 10
Level 10

Your no nat is wrong. Deny from the inside to the remote VPN ip subnet, permit everything else.

Sent from Cisco Technical Support iPad App

Hi Andrew,

Thanks for the reply.  The only nat statement I have is the overload for the internal hosts on the 192.168.1.0/24 network to access the Internet.  Can you clarify?

I have updated access-list 101 to state:

access-list 101 deny 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255

access-list 101 permit 192.168.1.0 0.0.0.255 any

As typically the remote IP subnet for the VPN is viewed by the device as "outside" when you are using nat you NAT from the "Inside" to the "Outside" So you need to tell the device NOT to NAT to the remote IP subnet, otherwise you will NAT and it will not work.

I apologize I'm thick here.  So, I need to remove the line I added on the access-list.  So access-list 101 would just be:

access-list 101 permit 192.168.1.0 0.0.0.255 any

Which should pass the split-tunneling route to the client.

I then need to add a line to prevent nat from occurring from my internal (192.168.1.0/24) network to the VPN network which is (10.1.254.0/24).  I would also need to add a  new access-list to that effect.  However, I should keep the existing nat line in order to ensure that internal nework machines can reach the public network so:

no ip nat inside source list 102 interface FastEthernet0/0 overload

ip nat inside source list 10 interface FastEthernet0/0 overload

access-list 102 permit 192.168.1.0 0.0.0.255 10.1.245.0 0.0.0.255

Is this correct?

Thanks again for your help!

Trevor

Actually, it would seem to be easier to make access-list 102 contain:

access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

then delete the existing nat overload and do:

ip nat inside source list 102 interface fastethernet0/0 overload

Hmm.  Did not seem to work.  I still cannot ping the router's vpn interface / loopback (10.1.254.1) or any of the inside machines on the 192.168.1.0/24 network.

It seems that when I attempt to ping from 192.168.1.x to the vpn client's ip on the 10.1.254.0 network, the number of access-list hits on the rule access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255 increment. 

However, when I attempt to ping from the remote client to the 192.168.1.x hosts the access-list hits on the rule access-list 102 permit ip 192.168.1.0 0.0.0.255 any increment.  Neither of which results in a successful ping.

access-list 101 which is assigned to the vpn has enver had a match from what I can see.

Have a look at the below URL for plenty of config examples and troubleshooting.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: