12-06-2011 06:02 AM
Hello,
I thought that the best option to do that in my Cisco 861 router, IOS v. 15.0 is to used NVI (Nat Virtual Interface) http://inetpro.org/wiki/IPSec:_Router_and_VPN_Client_for_Public_Internet_on_a_Stick_with_NVI
I tried the solution given in this page, but is does not work.
I give you the running-config for my router before and after the modifications proposed in this page, so you are able to help me.
Is there in other way to do that?
Thanks in advance!!
aaa new-model
!
!
aaa authentication login console local-case none
aaa authentication login remote local-case
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication enable default enable
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-181741940
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-181741940
revocation-check none
rsakeypair TP-self-signed-181741940
!
!
crypto pki certificate chain TP-self-signed-181741940
certificate self-signed 01
3082023E ...
....
quit
ip source-route
!
!
!
!
ip cef
!
!
license udi pid CISCO861-K9 sn FCZ144590B9
!
!
username superUser privilege 15 password 7 password
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group groupIsakmp
key keyIsakmp
dns dns1 dns1
pool SDM_POOL_1
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group groupIsakmp
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
ip address 192.168.0.43 255.255.255.0
ip nat outside
changed to--->ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan10
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
changed to--->ip nat enable
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.210
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip nat source list ACL_NAT interface FastEthernet0 overload
!
ip access-list extended ACEL_NAT
!
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.100
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
12-07-2011 07:17 AM
Carlos,
If you had followed the example your config would be very differenet. The main part of the example you need to concentrate on is:-
ip nat source list ACL_NAT interface FastEthernet0/0 overload
!
ip access-list extended ACL_NAT
!-- do not translate traffic between the VPN clients and the inside
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!-- translate the inside and the VPN clients for every other destination
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
You are missing
!-- do not translate traffic between the VPN clients and the inside
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
In your case it should be
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 - as you are using the 192.168.1.0/24 for your inside AND VPN pool.
Ideally your VPN Pool should be another IP Subnet to avoid this obvious confusion.
12-13-2011 02:37 PM
Thanks for your reply Andrew.
I didn't put this line because I also want that the VPN clients could access to the inside of the network. VPN clients are in the same IP subnet for that.
I want that a VPN client with IP 192.168.1.200 could access to the remote server IP 192.168.1.101 and using the router's default gateway also access to internet, because as you know, all the internet traffic in cliente side goes throught the VPN tunnel.
I believe that I have two options for this, split tunneling (less secure) and NVI.
Maybe there is an easy way to allow my client to use the router's default gateway, or some other options to have both, secure tunnel and internet in the client at the same time.
thanks in advance!!
02-28-2012 07:15 AM
more suggestions please??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide