09-10-2014 12:16 AM
Hello,
I have a VPN set up between a Cisco 887 DSL router and an ASA. All the traffic from the 877 is encrypted and send to the ASA and it all works. I've been ask to not encrypt the Internet traffic and send it over the VPN to th ASA which it does at the moment and uses the Internet gateway frojm there, can I use the local DSL Internet?
Config:
interface Dialer0
ip address negotiated
ip access-group inbound_acl in
ip access-list extended inbound_acl
permit ahp host 81.170.156.1 any
permit esp host 81.170.156.1 any
permit udp host 81.170.156.1 any eq isakmp
permit udp host 81.170.156.1 any eq non500-isakmp
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
permit icmp any any
permit udp host 158.43.128.33 any eq ntp
permit tcp host 81.170.156.1 any eq telnet log
permit tcp host 81.170.156.1 any eq 22 log
permit tcp host 81.170.156.1 any eq ftp-data log
permit tcp host 81.170.156.1 any eq ftp log
permit tcp host 81.170.156.1 any eq www log
permit tcp host 81.170.156.1 any eq 443 log
deny ip any any log
ip route 0.0.0.0 0.0.0.0 Dialer0
Thanks
09-10-2014 12:32 AM
Hi,
If you want to send only the local lan to remote lan traffic across the site to site tunnel and the internet traffic across the local isp circuit you will have to change the crypto ACL by removing the any from the acl and configure the LAN subnets on it.
By doing this you can make sure that only the local lan to remote lan traffic is encrypted and the rest go through the local ISP.
Also Dynamic PAT has to be enabled so that the local lan can use the wan interface ip to go to internet.
Hope that helps.
09-10-2014 01:48 AM
Hi,
Something like this:
PAT
interface Vlan1
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip nat outside
dialer pool 1
dialer-group 1
ip nat inside source list 101 interface Dialer1 overload
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
Regarding the any statement in my ACL, which one are you reffering to that I remove?
Thanks
09-10-2014 07:29 AM
Acl 101 is the NAT acl. It will depend on your complete VPN configuration. I could suggest the changes if you can share the entire VPN and NAT configuration.
09-10-2014 07:38 AM
No problem.
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname f1841
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 notifications
enable secret 5 $1$5MBpJoWpP0PTv0
!
no aaa new-model
clock timezone utc 0
clock summer-time bst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
ip nbar port-map citrix tcp 2598
no ip dhcp use vrf connected
ip dhcp excluded-address 172.19.10.1 172.19.10.10
!
ip dhcp pool Client
network 172.19.10.0 255.255.255.0
dns-server 192.168.21.10 192.168.21.11
default-router 172.19.10.1
lease 0 2
!
!
ip domain name corpdomain.com
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login on-failure log
login on-success log
!
!
crypto pki trustpoint TP-self-signed-374463676
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-374463676
revocation-check none
rsakeypair TP-self-signed-374463676
!
quit
archive
log config
logging enable
logging size 200
hidekeys
!
!
ip tftp source-interface FastEthernet0/0
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key -------- address 80.171.156.*
!
!
crypto ipsec transform-set CBSO_T_Set esp-aes 256 esp-sha-hmac
!
crypto map CBSO_Crypto_Map 10 ipsec-isakmp
set peer 80.171.156.*
set security-association lifetime seconds 86400
set transform-set CBSO_T_Set
set pfs group5
match address 101
!
!
!
interface FastEthernet0/0
ip address 172.19.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect outbound in
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip unreachables
ip nbar protocol-discovery
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 128
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
cdp enable
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address negotiated
ip access-group inbound in
no ip unreachables
ip nbar protocol-discovery
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ---
ppp chap password 7 ----
ppp pap sent-username --- password 7 ---
crypto map CBSO_Crypto_Map
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.28.136 9996
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 30000
!
no ip http server
no ip http secure-server
!
ip access-list extended inbound
permit ahp host 80.171.156.* any
permit esp host 80.171.156.* any
permit udp host 80.171.156.* any eq isakmp
permit udp host 80.171.156.* any eq non500-isakmp
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
permit icmp any any
permit udp host 158.43.128.33 any eq ntp
permit tcp host 80.171.156.* any eq telnet log
permit tcp host 80.171.156.* any eq 22 log
permit tcp host 80.171.156.* any eq ftp-data log
permit tcp host 80.171.156.* any eq ftp log
permit tcp host 80.171.156.* any eq www log
permit tcp host 80.171.156.* any eq 443 log
deny ip any any log
!
logging history size 50
logging history informational
logging trap notifications
logging source-interface FastEthernet0/0
logging 192.168.21.19
logging 192.168.28.129
access-list 50 permit 80.171.156.*
access-list 50 permit 192.168.90.11
access-list 50 permit 192.168.60.11
access-list 50 permit 192.168.21.19
access-list 50 permit 172.19.15.9
access-list 50 permit 192.168.28.129
access-list 50 permit 192.168.28.131
access-list 50 deny any log
access-list 101 permit ip 172.19.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community Nokia101 RO
snmp-server ifindex persist
snmp-server enable traps tty
snmp-server host 192.168.21.19 RO
snmp-server host 192.168.28.129 RO
!
!
!
control-plane
!
!
banner login ^C Authorised access only! Disconnect IMMEDIATELY if you are not an authorised user! ^C
banner motd ^CC
################################################
# Unauthorised access or use of this equipment #
# is prohibited and constitutes an offence #
# under the Computer Misuse Act 1990. #
# If you are not authorised to use this #
# system, terminate this session now. #
################################################
^C
!
line con 0
logging synchronous
transport output all
line aux 0
transport output all
line vty 0 4
access-class 50 in
exec-timeout 0 0
logging synchronous
login local
length 0
transport input ssh
transport output all
!
scheduler allocate 20000 1000
sntp server 158.43.128.33
event manager applet DailyReload
event timer cron name _EEMinternalname0 cron-entry "0 4 * * *"
action 1.0 reload
!
end
09-10-2014 08:00 AM
I am assuming that the subnet that you need to access across the tunnel is subnetA
It is not a good practice to use the same ACL for nat and for Crypto map.
so configure two different acls as below.
#access-list 102 deny ip 172.19.10.0 0.0.0.255 subnetA <wildcard mask> ---> Nat Exemption
#access-list 102 permit ip 172.19.10.0 0.0.0.255 any
Remove the old nat configuration and configure
#ip nat inside source list 102 interface Dialer1 overload
Crypto ACL
#access-list 103 permit ip 172.19.10.0 0.0.0.255 subnetA <wildcard mask>
Remove the crypto ACL 101 from the crypto map and configure as below
#crypto map CBSO_Crypto_Map 10 ipsec-isakmp
#no match address 101
#match address 103
Make sure that the ASAs crypto acl is also removed and reconfigured something like this.
access-list crypto-acl extended permit ip subnet A <mask> 172.19.10.0 255.255.255.0
If there are multiple subnets on the ASA side to which the routers local subnet needs access to then add those rules as deny statement on ACL 102 and permit statements on ACL 103.
Also make sure all the deny statements on ACL 102 are above the permit statement.
You will have to configure vice-versa on the ASA.
Hope that helps
09-10-2014 11:34 PM
09-11-2014 12:19 AM
Which ACL are you referring to?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide