Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
1
Replies

Cisco 871w internet access through vpn server without split tunneling

jdharsee
Level 1
Level 1

‎02-17-2013 08:20 PM

Hi,

I am trying to utilize the internet on my router for VPN clients rather than the client using its own internet for non private traffic. Just like a relay i guess.

Have followed the guide on the link below and have had some success. I can currently ping internal and external devices from client, but that is it. Anytime i try to use any protocal like www, i get nothing.The only think i can do is ping, for example, i can ping google.com but i cannot connect to google.com using a web browser.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Its been a long time since i have work with cisco devices and hoping someone out there can help me out. Below is my running config.

used cisco SDM to configure the easy vpn server and than used CLI with the link above to try to accomplish my goal.

Thanks

JD

Building configuration...

Current configuration : 8068 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname JamNet

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

clock timezone NewYork -5

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.1.1.1 10.1.1.63

ip dhcp excluded-address 10.1.1.128 10.1.1.254

!

ip dhcp pool sdm-pool1

   import all

   network 10.1.1.0 255.255.255.0

   default-router 10.1.1.1

!

!

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-138283221

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-138283221

revocation-check none

rsakeypair TP-self-signed-138283221

!

!

crypto pki certificate chain TP-self-signed-138283221

certificate self-signed 01

  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333832 38333232 31301E17 0D303831 30323130 34323531

  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3133 38323833

  32323130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  BC8FEAAC 8596D982 93D187F5 4EA7AB58 932CDEBA 0CB46EF0 509D0747 F7E1D464

  E15FC06B 0E27F326 2F12FAAC C8F3458F 51221B81 B804536A E337974A 2D908ECA

  D216D591 1F8B1B72 D9896FB9 3D20F23A CE828AAC 180643F1 E8D2B394 C5475812

  4E675FE8 3B0A4F9C 439DD800 09533950 1827615D D79DA802 5091295B 784648D5

  02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D

  11040B30 0982074A 616D4E65 742E301F 0603551D 23041830 1680146D FB4368E1

  CE5E3442 747111B4 D223A453 3F75B030 1D060355 1D0E0416 04146DFB 4368E1CE

  5E344274 7111B4D2 23A4533F 75B0300D 06092A86 4886F70D 01010405 00038181

  004A3046 219731F2 FD4DAC31 752BFD05 4F76C984 F10BA1F6 1705F8D1 ED919FDC

  BED6142F 8FA28AF8 173D1DA3 8B6ABD3C DFB5B84D 72689233 28487A7D D3D692B1

  869091CE 089B2ABD D67D12D0 47326AD4 F667A97C E2ED53DF C780267C F1AF7CB0

  BCB6FB9A BCB669B5 0D4303D8 5FF9835B E1629A61 1573405D 1E2811DE 50062DF9 FD

  quit

username admin privilege 15 secret 5

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group JamNet

key

dns 208.180.42.68 208.180.42.100

pool SDM_POOL_1

save-password

banner ^CWelcome to JamRock     ^C

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set security-association idle-time 14400

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

bridge irb

!

!

interface Loopback0

ip address 10.1.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

ip route-cache flow

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Dot11Radio0

no ip address

!

broadcast-key membership-termination capability-change

!

!

encryption mode ciphers tkip

!

ssid JamNet

    authentication open

    authentication key-management wpa

    guest-mode

    infrastructure-ssid optional

    wpa-psk ascii 7

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip local pool SDM_POOL_1 10.1.2.64 10.1.2.127

ip classless

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 103 interface FastEthernet4 overload

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 208.180.42.100 eq domain any

access-list 101 permit udp host 208.180.42.68 eq domain any

access-list 101 permit ip 10.1.2.64 0.0.0.63 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny   ip 10.1.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip any any

access-list 102 remark SDM_ACL Category=2

access-list 102 deny   ip any 10.1.2.64 0.0.0.63

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

access-list 102 permit ip any any

access-list 103 remark SDM_ACL Category=18

access-list 103 deny   ip any 10.1.2.0 0.0.0.255

access-list 103 permit ip any any

access-list 144 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.1.3.2

!

route-map SDM_RMAP_1 permit 1

match ip address 102

set ip next-hop 10.1.3.2

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Labels:
0 Helpful
1 Reply 1

Michael Muenz
Level 5
Level 5

‎02-21-2013 04:36 AM

Your inspections doesn't include http?

Michael Please rate all helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents