Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
2
Replies

Cisco 1900 - L2TP VPN Client Surf Internet through Cisco 1900

leonardo.calabretta
Level 1
Level 1

‎03-25-2020 05:24 AM

Hi everybody,

I've a Cisco 1900 Router with L2TP VPN Client configured. I need that VPN CLient (subnet 192.168.3.0) can be reach only 192.168.1.0 but I need also to surf with Public IP of Cisco Router (Interface Dialer1). Could you help me please ? :-)


Here the conf:


Building configuration...

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
!
hostname XXXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone UTC 1 0
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
ip dhcp excluded-address 192.168.16.1 192.168.16.49
ip dhcp excluded-address 192.168.16.201 192.168.16.254
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.201 192.168.1.254
ip dhcp excluded-address 192.168.10.1 192.168.10.2
!
ip dhcp pool POOL1
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
domain-name xxxxxxxxxxxxx
dns-server 8.8.8.8 1.1.1.1
lease 0 1 30
!
ip dhcp pool POOL2
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 1.1.1.1
lease 0 1 30
!
ip dhcp pool POOL_VoIP
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8 1.1.1.1
lease 0 1 30
!
!
!
ip domain name xxxxxxxxxx
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
username Admin
!
redundancy
!
!
!
!
!
ip ssh time-out 90
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
description loopback for IPsec-pool
ip address 192.168.3.20 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FTTH 1Gb
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.11
description FTTH 1Gb
encapsulation dot1Q 11
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.4000
encapsulation dot1Q 4000 native
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
ppp ipcp dns 8.8.8.8 1.1.1.1
!
interface Dialer1
description FTTH 1Gb
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp pap sent-username xxxxxxxxxxxxxxxxxx
no cdp enable
crypto map outside_map
!
ip local pool l2tp-pool 192.168.3.1 192.168.3.19
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.6 80 interface Dialer1 8083
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
access-list 111 remark --------------------------
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.3.0 0.0.0.255 any
access-list 111 permit ip 192.168.16.0 0.0.0.255 any
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
transport output all
!
scheduler allocate 20000 1000
!
end

 

Labels:
0 Helpful
2 Replies 2

Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 06:17 AM

Hi,

 

   You need to create and apply a VPN filter, where you controll traffic allowed ingress/egress from/to VPN clients. For example:

 

access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 150 permit ip 192.168.3.0 0.0.0.255 any

!
crypto dynamic-map dyn-map 10

 set ip access-group 150 in

 

I see that the NAT config looks good, so you should also have Internet access.

 

Regards,

Cristian Matei.

0 Helpful

leonardo.calabretta
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 06:31 AM

but it doens't works. I can reach all internal subnet from vpn and VPN client doesn't surf (I'll try ping 8.8.8.8)

0 Helpful
Customers Also Viewed These Support Documents