cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
10
Helpful
17
Replies

Getting vpn clients access to windows shares and internet VIA cisco 871?

jamarkle
Level 1
Level 1

I'm trying to setup a home VPN using a 871. I can get clients to connect to the 871 and they can ssh, ftp, and ping to hosts that are on the inside of the 871, and vise versa. However, I can't get the vpn client to access a windows share that a machine on the inside of the 871 has setup. I also can't get the vpn client to have internet access THROUGH the 871; I want the traffic to go through the VPN tunnel, then out the 871's WAN port and back through the tunnel to the client, ie: i don't want to enable split-tunneling.

I've mostly configured the router with SDM. Is there something I'm missing that needs to be configured to allow these two things? Thanks in advance.

-Jason

17 Replies 17

gfullage
Cisco Employee
Cisco Employee

Windows networking over a VPN is always a bit of an issue, usually cause it was designed to run on a local network and uses multicasts/broadcast type packets, which won't go over a VPN. There's nothing specific you can do as far as the config on the 871 is concerned to make this work (other than make sure you're sending down the internal WINS server addresses). Make sure on each VPN client you set "Use Netbios over TCP/IP" under the TCP/IP properties under the LAN card (or modem), that should get you going.

Now, the problem with going to the Internet is a bit more difficult. Presumably your pool of VPN addresses is a private subnet. The reason VPN users can't browse to the Internet is that their VPN packets come in with a source addresses of one of those private IP addresses, but they then don't get NAT'd to a routable address because they come in and go out on the same interface. This interface (your outside int) presumably has "ip nat outside" configured on it, but for a packet to be NAT'd it needs to come in on an "ip nat inside" interface and go out a "ip nat outside" interface. For your VPN packets to be NAT'd they need to be policy routed through another interface with "ip nat inside" configured on it.

I haven't tested this (I've done it before for customers so it does work, just don't have a copy of it handy) but let's say you have the following:

ip local pool vpnpool 10.2.2.1 10.2.2.254

int ethernet 0

   ip address 10.1.1.1

   ip nat inside

int Serial0

   ip address 200.1.1.1

   ip nat outside

ip nat inside source list 100 interface Serial0 overload

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

then this says don't NAT the outbound traffic if it's going back to a VPN client. Traffic from your VPN client though will come in on Serial0 and if it's destined for the Internet, it'll go straight back out the Serial0 int, so it won't be NAT'd and so it's source address will still be 10.2.2.x. When this gets to say, www.google.com and the reply is sent, it'll get dropped at the first router on the way back. You need to route traffic from a VPN client, going to anything other than 10.1.1.0, thru another interface with an "ip nat inside" configured on it.

The following should work for you:

ip local pool vpnpool 10.2.2.1 10.2.2.254

int Loopback0

   description Dummy interface

   ip address 1.1.1.1 255.255.255.0

   ip nat inside

int ethernet 0

   ip address 10.1.1.1

   ip nat inside

int Serial0

   ip address 200.1.1.1

   ip nat outside

   ip policy route-map ToInternet

ip nat inside source list 100 interface Serial0 overload

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 150 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 150 permit ip 10.2.2.0 0.0.0.255 any

route-map ToInternet permit 10

   match ip address 150

   set ip next-hop 1.1.1.2

I *think* that'll work, although can't be sure without verifying it. This'll will certainly be closer to working than just the standard VPN config, and hopefully you can see the point I'm trying to get across.

gfullage,

Thanks for the tips. I'll try them tonight when i get home. One question about the WINS server though, I'm not sure I have an 'internal' WINS server. This is just a little home network with basically on PC and one or two laptops behind the 871. What WINS server IP should I be sending to the VPN clients? I'm pretty sure I tried sending the 871's internal ip (192.168.1.1) and that didn't seem to help.

Also, about netbios over tcp/ip, I'm running XP on both windows machines (the vpn client and the one that has the share) and i just looked on the vpn client machine and it has (under the advanced tcp/ip settings, WINS tab) the 'default' setting chosen; to use netbios over tcp/ip if there is a static ip or the dhcp server doesn't provide a netbios setting, which i can't imagine that the 871 (dhcp server) is providing a netbios setting, so it should be tring to use netbios over tcp/ip.

I'll let you know how the internet use part works out when i get home tonight and try it.

Thanks again!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

clock timezone EST -5

clock summer-time EDT recurring last Sun Apr 2:00 last Sun Oct 2:00

ip subnet-zero

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.247

!

ip dhcp pool sdm-pool1

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

!

ip dhcp pool server_static_dhcp

host 192.168.1.105 255.255.255.0

client-identifier 0100.e04c.b9ad.66

client-name server

!

ip tcp synwait-time 10

ip vrf test-vrf

!

no ip bootp server

ip domain name domain.name

ip host server 192.168.1.105

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip ips sdf location flash:my-signatures.sdf

ip ips notify SDEE

!

!

!

crypto pki trustpoint TP-self-signed-4009856397

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4009856397

revocation-check none

rsakeypair TP-self-signed-4009856397

!

!

crypto pki certificate chain TP-self-signed-4009856397

certificate self-signed 01

quit

username cisco privilege 15 secret 5

username vpn_client privilege 0 password 7

!

!

!

crypto isakmp policy 1

encr aes 256

group 5

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

!

crypto isakmp client configuration group fruitpie_subnet_3

key

dns 24.25.5.150

wins 192.168.1.1

pool SDM_POOL_2

include-local-lan

!

!

crypto ipsec transform-set AES_256_ESP_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set AES_192_ESP_SHA esp-aes 192 esp-sha-hmac

crypto ipsec transform-set AES_128_ESP_SHA esp-aes esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set AES_256_ESP_SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

description dummy interface for vpn clients to access internet

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN$FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

ip route-cache flow

ip policy route-map vpn_to_internet

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_2 192.168.3.2 192.168.3.7

ip classless

!

ip dns server

ip dns spoofing

!

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

ip access-list extended permit_lan_addresses

remark permit local lan and vpn addresses

remark SDM_ACL Category=1

remark permit local LAN IPs

permit ip 192.168.0.0 0.0.255.255 any

remark Default Deny

deny ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.3.2 any

access-list 101 permit ip host 192.168.3.3 any

access-list 101 permit ip host 192.168.3.4 any

access-list 101 permit ip host 192.168.3.5 any

access-list 101 permit ip host 192.168.3.6 any

access-list 101 permit ip host 192.168.3.7 any

access-list 101 permit ip 192.168.3.0 0.0.0.7 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit udp host 24.25.4.108 eq domain any

access-list 101 permit udp host 24.25.4.107 eq domain any

access-list 101 remark Auto generated by SDM for NTP (123) 129.6.15.28

access-list 101 permit udp host 129.6.15.28 eq ntp any eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) 129.6.15.29

access-list 101 permit udp host 129.6.15.29 eq ntp any eq ntp

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 remark NAT acl map - defines what traffic gets NAT'd

access-list 103 remark SDM_ACL Category=2

access-list 103 deny ip any host 192.168.3.2

access-list 103 deny ip any host 192.168.3.3

access-list 103 deny ip any host 192.168.3.4

access-list 103 deny ip any host 192.168.3.5

access-list 103 deny ip any host 192.168.3.6

access-list 103 deny ip any host 192.168.3.7

access-list 103 deny ip any 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 remark nat from vpn clients to internet

access-list 103 permit ip 192.168.3.0 0.0.0.255 any

access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.1.0 0.0.0.7 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 103

!

route-map vpn_to_internet permit 10

match ip address 150

set interface Loopback0

!

No go. Rats...here's the config i tried.....

any more ideas? Did i not config something right according to the suggestion?

-Jason

C871#sh run

Building configuration...

Current configuration : 11725 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname c871

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

enable secret 5

!

gfullage,

This is really well explained and I got it working with one catch - I'm not getting any DNS responses to browse by domain name, but I can browse through the tunnel by IP and also access the private lan with no problems so I know I'm close! Can you look at my latest post with my config and suggest why DNS isn't working through the tunnel?

Read here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddec444

Thanks in advance,

Jay.

aashish.c
Level 4
Level 4

Hi Jason,

I would like to add a minor point to what gfullage said, instead of using "set ip next hop" in route, I would suggest to use :

set interface lo0

Thanks

aashish C

jamarkle
Level 1
Level 1

Gulfage,

I did some more poking around with the loopback and route-map suggestion you made, and it appears now that I can ping internet hosts from my vpn client! Thanks! However, I still can't seem to really do anything productive with an internet host as it appears that though the NAT mappings are being setup properly (from a show ip nat translations) the return packets are being droped by my default 'deny ip any any' firewall statement. Clients that are on VLAN 1 are able to connect to internet hosts fine, so it's weird that the NAT entries for the vpn clients aren't behaving the same way. Any ideas? Thanks again for the insight about the loopback and route-map!

-Jason

I'm working on the same issue. I tried the route-map and loopback suggestion listed previously and got the same results . The client can ping external hosts but cannot do anything else. The deny rule on the outside interface is blocking the response from the external web server, but why isn't the inspection rule on the outside interface allowing the response to go through?

I am experiencing a *very* similar issue. Cisco VPN client connecting to EZVPN server on a 2821.

With the configuration detailed earlier in this thread (PBR), NAT works & I can get out to Internet hosts & back from VPN clients with ICMP & UDP, but TCP gets lost somewhere.

I don't see hits on the outside interface deny rule like the previous poster. I suspect the ipnsection engine is the issue but debug ip inspect doesn't show anything of great interest.

Did anyone find a solid solution to the issue identified by the author of this thread?

No, i still haven't found a solution. I haven't been giving much time to it since, well i guess it's been over a year now. wow. I sure wish I could get this to work.

jamarkle
Level 1
Level 1

So I've actually gotten most things to work now. Since the last time I tried looking at this they've added the 'virtual tunnel interface' and 'templates' which, after starting from scratch have seemed to work for everything except the windows shares.

I can have my Mother-in-law vpn in and she can get internet access out through my 871 and see machines on my local lan (we do windows remote assistance this way, it still doesn't seem to want to work when both ppl are behind NATs).

So i've gotten everything working except the windows shares, and that arguably will be the most benificial if i can get working.....secure windows share access over the VPN. When i get home and can copy my config i'll post it to see if anyone can find something that might help w/ the windows shares....

jamarkle,

This is a really great thread, that loopback method is really easy to understand and it nearly works for me except I'm not getting dns resolution through the tunnel... Can you make a recommendation as to why mine's not resolving but I can surf by IP? At least I know my access lists are functioning and allowing/disallowing nat where needed - at least I think? My post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddec444

Can I see your latest config? Maybe it will help me through this issue...

Thanks,

Jay.

Jay,

When i get home tonight i'll try and remember to post my config. The thing i remember changing to get dns resolution to work was to have the 871 be a dns server and a 'spoofer', ie

ip dns server

ip dns spoofing

(I think these are the two CLI that turn them on).

I had remembered having these turned on before and it not working, but like i said, this is what i remember turning on after i started from scratch that got the DNS resolution working for the remotely connected clients.