Solved: Trying to send all traffic over VPN

joseph_bala · ‎10-04-2010

Hi,

I have a Cisco 871 router on my home cable modem connection. I am trying to setup a VPN and I want to send all traffic over the VPN from the connected clients (no split tunnel).

I can connect to the VPN and I can ping/access resources on my home LAN when I am remote but access to the internet dies.

If its possible I would like to have 2 profiles setup depending on login so 1 login sends all traffic over the vpn and the other login does split tunneling but for now I would be happy to just all all traffic go over the VPN.

Here is my config.

10.10.10.XXX is my home network inside LAN

10.10.20.XXX is the IP range assigned when connecting to the VPN

FastEthernet4 is my WAN interface.

Core#show run
Building configuration...

Current configuration : 4981 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Core
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
no logging buffered
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint Core_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair Core_Certificate_RSAKey 512
!
!
crypto pki certificate chain Core_Certificate
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXXXXXX privilege 15 password 7 XXXXXXXXXXXXX
username XXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Main
key XXXXXXX
dns 75.75.75.75 75.75.76.76
pool SDM_POOL_3
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group Main
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 64444
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 10.10.30.10 10.10.30.15
ip local pool SDM_POOL_2 10.10.10.80 10.10.10.85
ip local pool SDM_POOL_3 10.10.20.10 10.10.20.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.5.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 deny   any
no cdp run

!
!
!
!
!
control-plane
!
banner login ^CThis is a private router and all access is monitored and logged.^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 2 in
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Core#

Thanks for your help!

Rudresh Veerappaji · ‎10-04-2010

Hi Joseph,

You require a configuration like this:

client pool:10.10.20.0

local networkbehind router:10.10.10.0

R(config)#ip access-list extended 101
R(config-ext-nacl)#deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.20.0 0.0.0.255 any

interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip policy route-map VPN

R(config)#ip access-list extended 103
R(config-ext-nacl)#permit ip any 10.10.20.0 0.0.0.255

R(config)#route-map VPN permit 10
R(config-route-map)#match ip address 101
R(config-route-map)#set interface loopback1
R(config)#route-map VPN permit 20
R(config-route-map)#match ip address 103
R(config-route-map)#set interface loopback1

Now you need to exempt NAT for the VPN traffic:

===================================

R(config)#ip access-list extended 102
R(config-ext-nacl)#deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any
R(config-ext-nacl)#deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.20.0 0.0.0.255 any

ip nat inside source list 102 interface FastEthernet4 overload

Let me know if this helps,

Cheers,

Rudresh V

View solution in original post

Jitendriya Athavale · ‎10-04-2010

this is what you need to do

make a route map with traffic as

{

ACL

deny remote vpn pool network to internal lan

deny internal lan to remote vpn pool network

permit remote vpn network to any

any to remote vpn pool network

set the next hop to be some loopback ip address for this traffic in route-map

}

next apply this route-map to the virtual template interface

on the loopback interface

make it as ip nat inside

and make necessary changes in nat rules to nat remote vpn pool traffic

now coming to your second question of split tunneling for one and tunnel all for other, just make 2 different vpn groups and allow split tunneling in one

joseph_bala · ‎10-04-2010

Hi,

Thanks for the reply.

With the config changes you suggested will that still allow a VPN connection to access remote LAN resources?

Thanks.

Jitendriya Athavale · ‎10-04-2010

yes you will be that is reason why i asked you to deny traffic from remote to internal in route map

joseph_bala · ‎10-04-2010

Hi,

I think I understand what I need to do but I am still learning all this stuff.

Here is what I think I need to do. Is this correct?

ip access-list extended 100
remark CCP_ACL Category=1
deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
permit ip any 10.10.20.0 0.0.0.255
exit
interface Virtual-Template1 type tunnel
ip access-group 100 in
exit

I am not sure what I need to do about the loopback interface and how to set this route map as the next hop.

Also,

What nat rule changes do I need to make?

If it would make everything simpler, is it possible to have the VPN hand out 10.10.10.XXX IP's? Or will that conflict and not work?

Thanks!

Jitendriya Athavale · ‎10-04-2010

you have the acl correct but remove the acl from the int virtual template

create a route-map and call this acl here

route-map vpn permit 10
match ip address 100
set ip next-hop 10.11.11.1
!

where 10.11.11.1 is an exmaple for loopback interface ip you can use anything you want here

interface Virtual-Template1 type tunnel

ip policy route-map vpn

int loopback 0

ip address 10.11.11.1 255.255.255.255

ip nat inside

in the nat rules for router add your remote vpn pool network

joseph_bala · ‎10-04-2010

Hi,

I did everything you said and I can still connect to the VPN and ping hosts in the 10.10.10.xx network but I cannot connect to anything on the internet still.

Here is my latest config-

version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Core
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint Core_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair Core_Certificate_RSAKey 512
!
!
crypto pki certificate chain Core_Certificate
certificate self-signed 01
XXXXXXXXXXXXXXXX
        quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
!
ip dhcp pool Network
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 75.75.75.75 75.75.76.76
   default-router 10.10.10.1
   lease infinite
!
!
ip cef
no ip bootp server
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXX privilege 15 password 7 XXXXXXX
username XXX privilege 15 secret 5 XXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Main
key XXXXXXXXX
dns 75.75.75.75 75.75.76.76
pool SDM_POOL_3
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group Main
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 64444
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
interface Loopback0
ip address 10.99.99.99 255.255.255.255
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip policy route-map VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_3 10.10.20.10 10.10.20.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 2 deny   any
access-list 100 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
access-list 100 permit ip any 10.10.20.0 0.0.0.255
no cdp run

!
!
!
!
route-map VPN permit 10
match ip address 100
set ip next-hop 10.99.99.99
!
!
control-plane
!
banner login ^CThis is a private router and all access is monitored and logged.^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 2 in
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Core#

Rudresh Veerappaji · ‎10-04-2010

Hi Joseph,

You require a configuration like this:

client pool:10.10.20.0

local networkbehind router:10.10.10.0

R(config)#ip access-list extended 101
R(config-ext-nacl)#deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.20.0 0.0.0.255 any

interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip policy route-map VPN

R(config)#ip access-list extended 103
R(config-ext-nacl)#permit ip any 10.10.20.0 0.0.0.255

R(config)#route-map VPN permit 10
R(config-route-map)#match ip address 101
R(config-route-map)#set interface loopback1
R(config)#route-map VPN permit 20
R(config-route-map)#match ip address 103
R(config-route-map)#set interface loopback1

Now you need to exempt NAT for the VPN traffic:

===================================

R(config)#ip access-list extended 102
R(config-ext-nacl)#deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any
R(config-ext-nacl)#deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R(config-ext-nacl)#permit ip 10.10.20.0 0.0.0.255 any

ip nat inside source list 102 interface FastEthernet4 overload

Let me know if this helps,

Cheers,

Rudresh V

joseph_bala · ‎10-04-2010

Thank you so much Rudresh V!!!!! That worked perfectly.

The only thing I had to change was the loopback number was from 1 to 0

For anyone who is interested here is the working config-

Core#show run
Building configuration...

Current configuration : 5926 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Core
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
no logging buffered
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint Core_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair Core_Certificate_RSAKey 512
!
!
crypto pki certificate chain Core_Certificate
certificate self-signed 01
xxxxxxxxxxx
        quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
!
ip dhcp pool Network
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 75.75.75.75 75.75.76.76
   default-router 10.10.10.1
   lease infinite
!
!
ip cef
no ip bootp server
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxx privilege 15 password xxxxxxx
username xxxx privilege 15 secret xxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Main
key xxxxxx
dns 75.75.75.75 75.75.76.76
pool SDM_POOL_3
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group Main
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 64444
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
interface Loopback0
ip address 10.99.99.99 255.255.255.255
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip policy route-map VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_3 10.10.20.10 10.10.20.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 permanent
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 102 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.5.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 2 deny   any
access-list 101 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 102 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.20.0 0.0.0.255 any
access-list 103 permit ip any 10.10.20.0 0.0.0.255
no cdp run

!
!
!
!
route-map VPN permit 10
match ip address 101
set interface Loopback0
!
route-map VPN permit 20
match ip address 103
set interface Loopback0
!
!
control-plane
!
banner login ^CThis is a private router and all access is monitored and logged.^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 2 in
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Core#

Jitendriya Athavale · ‎10-04-2010

i think you will need an extended acl for nat rules

access-list 1 permit 10.10.20.0 0.0.0.255

this wont do bcoz then your vpn traffic will not work properly

so use an acl like this

ip access-list extended 1xx

deny ip 10.10.10.0 0.0.0.255 10.10.20.0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

permit ip 10.10.20.0 0.0.0.255

no ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source list 1xx interface FastEthernet4 overload

joseph_bala · ‎10-04-2010

Thanks for all your help and suggestions jathaval. Rudresh V was able to get things work, I appreciate your effort and time.