04-28-2012 10:41 PM
Hi all,
I am attempting to setup a client -> server VPN using IOS 12.4, and Cisco Client 5.x. At this point, the client does connect, however, I cannot ping, or send / receive data over the VPN. I am initially attempting a split-tunnel config, as they seem easier. Ideally, the client would route *all* data over the VPN including that which is destined for the public network in the interest of safe browsing remotely. However, I haven't got that far yet.
Currently, I have a network setup as:
FastEthernet0/0 - Public network via DHCP from ISP.
FastEthernet0/1 - Internal network on the 192.168.1.0 /24 network.
I currently have a NAT overload on FastEthernet0/0 so that internal hosts can browse the Internet. As mentioned, I would also like to have remote VPN hosts browse the Internet via this same overload.
Below is my config in full with some parts redacted. Please let me know what I am doing wrong for this split-tunnel setup, and any suggestions to get this working in a non-split-tunnel way would be great. I have been working on this for 2 days, and all the tutorials and guides I've read do not seem to work for me.
Thanks!
Trevor
--------------------------------------
!
! Last configuration change at 23:06:48 EDT Fri Apr 27 2012 by trevor
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec+
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 sometextsometextsometext
enable password somepassword
!
aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local
!
username vpnuser password 0 vpnpassword
!
!
clock timezone EST -5
clock summer-time EDT recurring
!
ip name-server 4.2.2.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! needed to enable resolutiion of the URLs in the update config commands
!
ip domain lookup
!
!
ip ddns update method mydomain_update
http
add http://login:password@members.dyndns.org/nic/update?hostname=mydomain.dyndns.org&myip=password@members.dyndns.org/nic/update?hostname=mydomain.dyndns.org&myip=<a>
interval maximum 0 0 1440 0
interval minimum 0 0 1440 0
!
!
! Applying update method to interface
!
!interface FastEthernet0/0
! ip ddns update mydomain_update
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip domain name mydomain.dyndns.org
!
!
username user privilege 15 secret 5 sometextsometextsometext
!
!
interface FastEthernet0/0
description *** Outside ***
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn-map
ip ddns update mydomain_update
!
!
interface FastEthernet0/1
description *** Inside ***
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Loopback0
description VPN
ip address 10.1.254.1 255.255.255.240
!
!
crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key vpnpassword
dns 4.2.2.2 4.2.2.1
domain mydomain.dyndns.org
pool vpnpool
acl 101
!
crypto ipsec transform-set vpn esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpn
reverse-route
!
crypto map vpn-map client authentication list userauth
crypto map vpn-map isakmp authorization list groupauth
crypto map vpn-map client configuration address respond
crypto map vpn-map 10 ipsec-isakmp dynamic dynmap
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255
!
!
!
ip local pool vpnpool 10.1.254.2 10.1.254.14
!
!radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key cisco
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
ntp clock-period 17208002
ntp server 142.137.247.109
!
end
--------------------------------------
04-29-2012 02:07 AM
Your no nat is wrong. Deny from the inside to the remote VPN ip subnet, permit everything else.
Sent from Cisco Technical Support iPad App
04-29-2012 08:54 AM
Hi Andrew,
Thanks for the reply. The only nat statement I have is the overload for the internal hosts on the 192.168.1.0/24 network to access the Internet. Can you clarify?
I have updated access-list 101 to state:
access-list 101 deny 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 101 permit 192.168.1.0 0.0.0.255 any
04-29-2012 10:22 AM
As typically the remote IP subnet for the VPN is viewed by the device as "outside" when you are using nat you NAT from the "Inside" to the "Outside" So you need to tell the device NOT to NAT to the remote IP subnet, otherwise you will NAT and it will not work.
04-29-2012 12:59 PM
I apologize I'm thick here. So, I need to remove the line I added on the access-list. So access-list 101 would just be:
access-list 101 permit 192.168.1.0 0.0.0.255 any
Which should pass the split-tunneling route to the client.
I then need to add a line to prevent nat from occurring from my internal (192.168.1.0/24) network to the VPN network which is (10.1.254.0/24). I would also need to add a new access-list to that effect. However, I should keep the existing nat line in order to ensure that internal nework machines can reach the public network so:
no ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 102 permit 192.168.1.0 0.0.0.255 10.1.245.0 0.0.0.255
Is this correct?
Thanks again for your help!
Trevor
04-29-2012 01:06 PM
Actually, it would seem to be easier to make access-list 102 contain:
access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
then delete the existing nat overload and do:
ip nat inside source list 102 interface fastethernet0/0 overload
04-29-2012 01:14 PM
Hmm. Did not seem to work. I still cannot ping the router's vpn interface / loopback (10.1.254.1) or any of the inside machines on the 192.168.1.0/24 network.
04-29-2012 01:32 PM
It seems that when I attempt to ping from 192.168.1.x to the vpn client's ip on the 10.1.254.0 network, the number of access-list hits on the rule access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255 increment.
However, when I attempt to ping from the remote client to the 192.168.1.x hosts the access-list hits on the rule access-list 102 permit ip 192.168.1.0 0.0.0.255 any increment. Neither of which results in a successful ping.
access-list 101 which is assigned to the vpn has enver had a match from what I can see.
04-29-2012 11:58 PM
Have a look at the below URL for plenty of config examples and troubleshooting.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide