Hi All,
I got a 2811 with the security IOS on it and I am trying to open a VPN tunnel to a Cisco 3030 VPN con, and also enable CBAC and gain internet access via it (using split tunneling).
I do manage to open the VPN tunnel but I can't surf the WEB on a PC that is located behind the internal interface, can someone please help me ?
Thanks,
Here is my router config:
!!!!! x.x.x.x = Public IP of the 3030 VPN concentrator !!!!!!!!
!!!!! y.y.y.y = Public IP of the 2811 !!!!!!!!
!!!!! z.z.z.z = Public IP of the 2811 - default gateway !!!!!!!!
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 informational
no logging console
enable secret !!!some secert !!!
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip tcp intercept list 110
!
!
ip cef
!
!
ip domain name domainname.com
ip name-server 10.x.x.x
ip name-server 10.x.x.x
ip inspect name FW icmp
ip inspect name FW http
ip inspect name FW ftp
ip inspect name FW tftp
!
crypto pki trustpoint TP-self-signed-xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxx
revocation-check none
rsakeypair TP-self-signed-xxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxx
certificate self-signed 01
username ******* secret 5 *********
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key mortimer11 address x.x.x.x
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map VPNmap 10 ipsec-isakmp
set peer x.x.x.x
set transform-set myset
match address VPN
!
!
!
!
interface FastEthernet0/0
description Outside Interface
ip address y.y.y.y 255.255.255.252
ip access-group Firewall in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map VPNmap
!
interface FastEthernet0/1
description Inside Interface
ip address 10.197.4.2 255.255.252.0
ip nat inside
ip inspect FW in
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 z.z.z.z
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool mypool y.y.y.y y.y.y.y netmask 255.255.255.252
ip nat inside source route-map translate pool mypool overload
!
ip access-list extended Firewall
deny ip host 255.255.255.255 any
permit icmp any host y.y.y.y echo
permit udp any eq isakmp any
permit esp any any
permit tcp any host y.y.y.y eq 22
deny ip any any
ip access-list extended NAT
deny tcp any any eq 22
deny tcp any eq 22 any
deny ip 10.197.4.0 0.0.3.255 10.0.0.0 0.255.255.255
permit ip 10.197.0.0 0.0.255.255 any
ip access-list extended VPN
permit ip 10.197.4.0 0.0.3.255 10.0.0.0 0.255.255.255
!
access-list 110 permit ip any any
snmp-server community ********** RO
snmp-server community ********** RW
snmp-server location somewhere over the rainbow
snmp-server contact WAN_Group@domain.com
snmp-server system-shutdown
snmp-server enable traps tty
!
route-map translate permit 10
match ip address NAT
!
!
!
tacacs-server host 10.32.4.16
tacacs-server host 10.32.6.47
tacacs-server directed-request
tacacs-server key 7 ********************
!
control-plane
!
!
line con 0
password 7 *************
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 *************
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179877
ntp source FastEthernet0/1
ntp server 10.32.0.2
!
end
