12-29-2011 01:04 PM - edited 02-21-2020 05:47 PM
Hi all!
I am testing a EasyVPN IPsec server set up on a cisco 891. Here is how I have it set up right now- the 891 is connected to our backup internet connection (different ISP from our main line) and we have a cisco 1921 as our production router.
I am experiencing a problem where when I am on our internal network off the 1921 and I connect to the VPN on the 891 I lose all local network connectivity. Nothing works, can't ping, can't telnet to the 1921, can't browse the internet, its not just DNS either.
I believe the issue lies in the configuration of the IPSec server on the 891 because when I connect to our client's cisco IPSec VPN I experience full local connectivity with no issues whatsoever. It seems to me that ALL traffic is being routed through the tunnel.
Other than the local issues the VPN is working fine and I can remote desktop to the PC I have set up off the 891 and telnet to the 891 from there.
Current configuration : 8967 bytes
!
! Last configuration change at 20:45:17 UTC Thu Dec 29 2011 by admin
! NVRAM config last updated at 19:52:26 UTC Thu Dec 29 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dmzrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.100
!
ip dhcp pool DMZ
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 204.13.41.10 204.13.41.13
lease 1 23 59
!
!
ip cef
ip name-server 204.13.41.10
ip name-server 204.13.41.13
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect dns-timeout 8
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name dmz-firewall dns
ip inspect name dmz-firewall ftp
ip inspect name dmz-firewall h323
ip inspect name dmz-firewall sip
ip inspect name dmz-firewall https
ip inspect name dmz-firewall icmp
ip inspect name dmz-firewall imap
ip inspect name dmz-firewall pop3
ip inspect name dmz-firewall netshow
ip inspect name dmz-firewall rcmd
ip inspect name dmz-firewall realaudio
ip inspect name dmz-firewall rtsp
ip inspect name dmz-firewall esmtp
ip inspect name dmz-firewall sqlnet
ip inspect name dmz-firewall streamworks
ip inspect name dmz-firewall tftp
ip inspect name dmz-firewall tcp
ip inspect name dmz-firewall udp
ip inspect name dmz-firewall vdolive
ip inspect name dmz-firewall pptp
no ipv6 cef
!
!
multilink bundle-name authenticated
async-bootp dns-server 204.13.41.10 204.13.41.13
license udi pid CISCO891-K9 sn FTX154581LJ
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testgroup
key ****
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group testgroup
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
interface Loopback0
ip address 10.10.0.1 255.255.255.0
!
!
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
ip address 65.183.153.14 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
encapsulation slip
!
!
router rip
network 10.0.0.0
!
ip local pool SDM_POOL_1 10.10.10.10 10.10.10.19
ip default-gateway 65.183.153.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool DMZ 10.10.10.1 10.10.10.255 netmask 255.255.255.0
ip nat inside source list 10 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 65.183.153.1
ip ospf name-lookup
!
ip access-list extended sdm_gigabitethernet0_in
permit udp host 204.13.41.10 eq domain host 65.183.153.14
permit udp host 204.13.41.13 eq domain host 65.183.153.14
permit ip 10.10.10.0 0.0.0.255 any
permit icmp any host 65.183.153.14 administratively-prohibited
permit icmp any host 65.183.153.14 time-exceeded
permit icmp any host 65.183.153.14 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 permit udp host 204.13.41.10 eq domain any
access-list 102 permit udp host 204.13.41.13 eq domain any
access-list 102 deny ip 65.183.153.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 permit ip any any
no cdp run
I will post my 1921 config if anyone believes the issue might lie somewhere in there, but it is set up very similarly and the firewall ACL's are exactly the same.
12-29-2011 02:01 PM
Split tunneling is what needs to be turned on in order to allow the client to (continue to) access locally accessible network resources while connected via VPN.
I'm not sure off the top of my head if that's supported in your combination of client and VPN server but look for that feature in your setup.
Typically it will require an access-list to specify certain local traffic as being exempted from the tunnel. Se the example here.
12-29-2011 02:16 PM
Marvin, Sam,
Spoke1(config)#crypto isakmp client configuration group GROUP
Spoke1(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list
number
(...omitted...)
include-local-lan Enable Local LAN Access with no split tunnel
If you want internet access:
I was discussing this here. You can apply ip nat inside on VTI interface and make sure your NAT statment also includes VPN pool subnet.
M.
12-29-2011 02:26 PM
Merci, Marcin.
The include-local-lan command appears to be a sort of shorthand for split tunnel concept
The article helps. Unfortunately the links you point to at the end are all moved / expired.
12-30-2011 11:08 AM
Marcin-
Thanks for your reply! I added the include-local-lan line to the group and ip nat inside to my Virtual-Template however I still am unable to access anything locally when on the VPN. Can you give me an example of the NAT statement you said I needed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide