11-03-2022 04:32 AM
I have created a VPN connection to my Cisco router, but it does not work as I want it to.
My requirements is to able to connect via VPN and reach the VLAN interfaces and the internet as well.
Two scenario:
If I connect to the VPN with "Use default gateway on the remote network" enabled I am able to reach the VLAN interfaces but not internet access
If I connect to the VPN with "Use default gateway on the remote network" disabled I am able to reach the Internet but not able to reach the VLAN interfaces.
Sorry I am not so expert and I am pretty sure I have a misconfiguration here...
Below my config:
Current configuration : 6461 bytes
!
! Last configuration change at 10:30:47 UTC Thu Nov 3 2022
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
lease 0 8
!
ip dhcp pool VLAN90
network 192.168.90.0 255.255.255.0
default-router 192.168.90.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool POOL_L2TP_USERS
network 192.168.100.0 255.255.255.0
lease 0 2
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
vpdn session-limit 100
!
vpdn-group L2TP_REMOTE_USERS
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxxxxxx address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map CRYPTO_MAP_REMOTE_USERS 10
set nat demux
set transform-set ESP-3DES-SHA
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic CRYPTO_MAP_REMOTE_USERS
!
!
!
!
!
interface Loopback1
description L2TP VPN ENDPOINT
ip address 192.168.100.1 255.255.255.0
ip access-group VPN in
!
interface GigabitEthernet0
description TRUNK
switchport mode trunk
no ip address
!
interface GigabitEthernet4
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTO_MAP
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool POOL_L2TP
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
!
interface Vlan10
description VLAN10-MGMT
ip address 192.168.10.1 255.255.255.0
ip access-group Vlan_10 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan50
description VLAN50-OFFICE
ip address 192.168.50.1 255.255.255.0
ip access-group Vlan_20 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan90
description VLAN90-VISITOR
ip address 192.168.90.1 255.255.255.0
ip access-group Vlan_30 in
ip nat inside
ip virtual-reassembly in
!
ip local pool POOL_L2TP 192.168.100.50 192.168.100.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4
ip ssh time-out 60
!
ip access-list extended VPN
permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended Vlan_10
permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended Vlan_50
permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Vlan_90
deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip any any
!
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 deny 192.168.100.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end
11-03-2022 06:33 AM
you need to config NAT for VPN remote access
virtual-template is ip nat inside
also you need to include remote access pool with the NAT overload ACL.
11-03-2022 08:22 AM
Thanks for your feedback but I would prefer split tunneling. But some kind of reason it does not work.
access-list vpnacl permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
crypto isakmp client configuration group GROUPNAME
acl vpnacl
11-05-2022 09:11 AM
Hi friend
do you config the ACL as list below ??
access-list vpnacl permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
192.168.100.0 0.0.0.255 <<- Secure LAN
192.168.10.0 0.0.0.255 <<- this must be VPN Pool
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: