Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
2
Replies

webvpn split and VTI

Go to solution
Olivier Joly
Level 1
Level 1

‎05-18-2012 05:46 AM

Dear all,

We have a 1841 router with webvpn enable and split tunneling. That router is also connected to a second office using a VTI. We would like the webvpn remote clients (using anyconnect) accessing the remote office network through the VTI.

Office 1 network: 192.168.10.0

Office 2 (remote) network: 192.168.11.0

I think the webvpn setup with split tunneling is properly setup, however I don't know how to route packet from 192.168.60.0 (dhcp pool for webvpn client) to 192.168.11.0 network.

Is somebody have an idea ?

Regards,

Olivier

Router config:

interface Tunnel0

description VTI To office 2

ip address 192.168.50.1 255.255.255.0

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination 217.x.x.133

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname x

ppp chap password 7 x

!

ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10

ip forward-protocol nd

!

ip nat inside source route-map IspADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.11.0 255.255.255.0 192.168.50.2

!

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer1

!

webvpn gateway GateSslAdsl

ip address 193.x.x.113 port 443 

http-redirect port 80

ssl trustpoint xxx

inservice

!

webvpn context VpnSslAdsl

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "PoolVpnAdsl"

   svc keep-client-installed

   svc split dns "domain.dom"

   svc split include 192.168.10.0 255.255.255.0

   svc split include 192.168.11.0 255.255.255.0

   svc dns-server primary 192.168.10.X

default-group-policy policy_1

aaa authentication list XauthRadius

gateway GateSslAdsl

inservice

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7

‎05-18-2012 08:41 AM

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rizwanr74
Level 7
Level 7

‎05-18-2012 08:41 AM

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

0 Helpful

Go to solution
Olivier Joly
Level 1
Level 1
In response to rizwanr74

‎05-19-2012 01:58 AM

Hi Mohamed,

It works perfectly Thanks.

A added the lines as you suggested :

access-list 110 deny   ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 deny   ip any any

and replace the "match ip address 10" by "match ip address 110" in route-map IspADSL permit 1

I also add the line "ip route 192.168.60.0 255.255.255.0 192.168.50.1"

Thanks again,

Kind regards,

Olivier

0 Helpful
Customers Also Viewed These Support Documents