07-08-2012 09:01 PM
Hi guys,
Been working thru this issue with support and I think we are close but no resolution yet...
Anyways, here is the link we followed:
http://strongvpn.com/forum/viewtopic.php?id=2234
Basically, it's setting up a vpn l2tp connection to a vpn provider to gain a USA address for the virtual-ppp1 interface. So, no problem getting the tunnel up. No problem doing a ping / tracert from the various windows clients. However, we can't browse any websites??????
We sent a wireshark dump to support for them to take a look. We can do a telnet / browse from the router and cancel it and you can see the html code there, so the router can reach it. However, no go on the windows clients?
Just thought I would see if anyone else has had this issue.
Thanks for everyone's time.
Jason Friedrich
07-14-2012 01:22 PM
Hi,
Assuming that you are tunneling all the traffic, you will need to setup a Route map on the Router to route all the traffic from the clients to the Internet to a loopback where the "ip nat inside" command is, then the Router based on the routing table will send this traffic to outside interface where the "ip nat outside" command is, this will allow the translation process and your clients will be able to acccess the Internet.
The MS client is not supposed to use split-tunneling, since they consider it a security risk, however there is a way to force the client to do it and is by clearing the "Use default gateway on remote network" checkbox.
The remote VPN server becomes the default route when the VPN connection becomes active. If you want to keep your current default route instead, you need to change the TCP/IP properties.
BTW, the route-map config looks like this:
interface Loopback0
ip address 2.2.2.1 255.255.255.252
ip nat inside
!
ip local pool my-pool 192.168.25.1 192.168.25.20
ip access-list extended VPN_INTERNET_ACCESS
deny ip 192.168.25.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.25.0 0.0.0.255 any
!
route-map VPN_INTERNET_ACCESS permit 10
match ip address VPN_INTERNET_ACCESS
set ip next-hop 2.2.2.2
!
ip access-list extended INTERNET_ACCESS
deny ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.25.0 0.0.0.255 any
ip nat inside source list INTERNET_ACCESS interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
description Interface connected to the Internet
ip address 10.1.1.1 255.255.255.224
ip nat outside
ip policy route-map VPN_INTERNET_ACCESS
!
interface GigabitEthernet0/1
description LAN interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
I hope it helps
Please rate this post if you find it helpful.
07-16-2012 10:31 AM
In addition to my previous post, please check this other option which I forgot (kinda rusty on L2TP/IPsec):
ASA Intercept DHCP:
A DHCP server does not need to be configured. It basically intercepts DHCPINFORM message from the L2TP client and responds with the following parameters:
1 Subnet Mask (from "intercept-dhcp 255.255.255.128 enable") 15 DNS Domain Name (from "split-dns value test.com") 249 Classless Static Route (Microsoft) (from VPN_SPLIT ACL)
The configuration looks like following:
group-policy DfltGrpPolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN_SPLIT split-dns value test.com intercept-dhcp 255.255.255.128 enable ---> Same as in the VPN pool. address-pools value VPN_POOL
ip local pool VPN_POOL 192.168.10.1-192.168.10.126 mask 255.255.255.128
access-list VPN_SPLIT standard permit 192.168.15.0 255.255.255.0 access-list VPN_SPLIT standard permit 172.16.1.0 255.255.255.0
In addition uncheck the "Use default gateway on remote network" checkbox in the L2TP client settings.
Please let me know if you have any questions.
Thanks.
07-16-2012 09:31 PM
Hi Javier,
Killer suggestion! I have forwarded the link to Cisco support to help me implement or add ideas or suggestions. THANKS for getting the ball rolling. I will post the findings from support. Wicked!
Thanks for taking the time to reply.
Jason
07-17-2012 05:32 AM
Dear Jason,
I am glad to hear that.
Please keep us posted.
Have a good one.
* Please rate any post you find helpful.
07-17-2012 05:36 PM
Hi Javier,
One more question for you. My gigabit 0/1 Interface is the isp interface. As per the example link I used in the post, the gig0/1 interface includes the following command for the tunnel :
crypto map L2TP-IPSEC
So, given the details you gave me, what if I DON'T want all the traffic to go thru the tunnel? Will an acl work OR do I have to modify the details you gave me?
I am pretty new at this stuff, but, learning it pretty quick....
Ideas?
Once again, thanks for your time!
Jason
07-17-2012 10:27 PM
Hi Jason,
Please refer to my post from Jul 17, 2012 11:24 PM, it actually includes an ACL named VPN_SPLIT, this is the one in charge of defining the specific networks that the VPN client will attempt to reach through the tunnel.
In other words, it splits the traffic.
Keep me posted
Please rate this post if you find it helpful.
07-22-2012 05:45 PM
Hi Javier,
Was outta town for a bit..
Anyways, going back to my acl question. What if I wanted certain traffic, such as web traffic, to use the local isp generated ip, and all other traffic to use the virtual-ppp interface ip?
How would I incorprate it into the vpn-split example you gave me?
Maybe provide an example, and that should get me going.
Once again, THANKS for your input and time!
Jason
07-25-2012 06:29 AM
Hi Jason,
Sorry for any delay.
Unfortunately it is not possible to differentiate the traffic, since the client will install the static routes without any protocol / port specification.
Let me know.
Please rate this post if you find it helpful.
07-26-2012 12:26 PM
Hi Jason,
I just noticed that you opened a TAC case with one of my teammates about this issue.
Working with him, we enabled full-duplex and speed 1000 on both inside and outside interfaces, also set the MTU value to 1380 and the TCP MSS to 1200 and that allowed Internet access.
* I would recommend to you to contact your ISP because there is a packet-loss issue across the PPP link.
Let me know if you run into any further issues.
Thanks for your time.
Please rate this post if you find it helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide