Re: Getting vpn clients access to windows shares and internet VI - Page 2

jamarkle · ‎12-04-2005

I'm trying to setup a home VPN using a 871. I can get clients to connect to the 871 and they can ssh, ftp, and ping to hosts that are on the inside of the 871, and vise versa. However, I can't get the vpn client to access a windows share that a machine on the inside of the 871 has setup. I also can't get the vpn client to have internet access THROUGH the 871; I want the traffic to go through the VPN tunnel, then out the 871's WAN port and back through the tunnel to the client, ie: i don't want to enable split-tunneling.

I've mostly configured the router with SDM. Is there something I'm missing that needs to be configured to allow these two things? Thanks in advance.

-Jason

mrjaylewis · ‎06-11-2007

Thanks, I'd really like to see your example... I read about, and messed with the dns spoofing but haven't had any luck yet. I was wondering if the only DNS server you had access to was at your ISP like my situation. It really just seems like maybe the dns responses coming from the outside interface are not being encrypted to the tunnel or something like that... Waiting for your reply, and thanks again... Jay.

jamarkle · ‎06-11-2007

Here's a scrubbed version of my currently working config. Hopefully i didn't miss any personal info. :)

Like i said, clients can vpn in and get out to the internet through my 871 while also accessing the local lan, save for windows shared drives.

mrjaylewis · ‎06-12-2007

Hi,

Thank you for your config! I would love to tell you that it helped solve the problem, but I was already configured virtually identically to you...

What ended up magically fixing it and allowing everything to work was finally figuring out what else is needed when you have cef running... Turns out that I didn't have the route-cache and mroute-cache disabled on the outside interface, and as soon as I put in the commands everything started flowing... In fact, either cef or the dns service added these empty access lists right after I changed the route-cache so I know the router is nice and happy now:

ip access-list extended UNKNOWN

ip access-list extended addr-pool

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended timeout

ip access-list extended tunnel-password

ip access-list extended wins-servers

It was pretty weird to see them show up in the config by themselves, I don't think my SOHO 91 has ever acted so normally all by itself! I checked cpu usage while I was connected and surfing and it was less than 20%, and that's with my son doing online gaming at the same time, so I'm pretty happy with the performance from my old SOHO91...

So anyway, I wanted to thank you for your help, and I also atteched my working config in case you or anyone else with these problems want to see it.

By the way, in regards to using windows shares, I haven't tried too much yet, but I believe that a WINS server is needed inside the lan and you might also have to set your network connection to use netbios over tcp. At least that's what I've read here and there. I have a testbed Server 2003 box, so I plan on turning on WINS and seeing what happens - hopefully it functions for machines that aren't logged in to the domain within the lan, we'll see... Oh, and don't forget udp and tcp ports 138 and 139, and tcp 445, those are also required from what I understand....

Oh, and lastly, there is a "Public Internet On A Stick" guide that depicts what we're doing, but I didn't find it until just the other day - probably might have helped!

Here: http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Take care, and thanks again!

Jay.

Getting vpn clients access to windows shares and internet VIA cisco 871?