05-04-2011 12:10 AM
I have two ISP. ISP1 is my default-gateway and ISP2 is used only for VPN Clients access. I set up my router to use local policy route-map for vpn traffic, and I can connect, but once I´m connected, I only can do ping to ip adddress of my router, if I try to do telnet at that same ip address for example, it does not respond, also, I cannot see anything at all behind my router.
I found that, if I put a static route through the ISP2 pointing to the "public" ip address used by the client to connect it works fine. But, making an static routes for every possible ip address used by the clients is not an option.
Here is my lab config:
aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication enable default enable
aaa authorization network hw-client-groupname local
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group test
key test
pool dynpool
acl split_vpn
netmask 255.255.255.248
crypto isakmp profile VPNclient
match identity group test
client authentication list userauthen
isakmp authorization list hw-client-groupname
client configuration address respond
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set 3des-sha
set isakmp-profile VPNclient
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Loopback10
description -->Only for TEST
ip address 10.1.254.1 255.255.255.255
!
interface FastEthernet0/0
description -->ISP2
ip address 10.0.0.1 255.255.255.252
ip route-cache flow
crypto map dynmap
!
interface FastEthernet0/1
description -->ISP2
ip address 10.0.1.1 255.255.255.252
ip route-cache flow
interface FastEthernet0/2
description -->LAN
ip address 192.168.0.1 255.255.255.0
ip policy route-map redirect
!
ip local policy route-map local
ip local pool dynpool 10.13.0.1 10.13.0.15
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip route 10.10.254.1 255.255.255.255 192.168.0.2
ip route 10.13.0.0 255.255.255.248 10.0.0.2
!
!
ip access-list extended local
permit udp host 10.0.0.1 eq isakmp any
permit esp host 10.0.0.1 any
permit ip host 10.0.0.1 any
permit ip any 10.13.0.0 0.0.0.15
!
ip access-list extended redirect
permit ip any 10.13.0.0 0.0.0.15
!
ip access-list extended split_vpn
permit ip 10.1.254.0 0.0.0.255 10.13.0.0 0.0.0.15
permit ip 10.10.254.0 0.0.0.255 10.13.0.0 0.0.0.15
permit ip 192.168.0.0 0.0.0.255 10.13.0.0 0.0.0.15
!
route-map redirect permit 10
match ip address redirect
match interface FastEthernet0/0
set ip next-hop 10.0.0.2
!
route-map local permit 10
match ip address local
match interface FastEthernet0/0
set ip next-hop 10.0.0.2
!
!
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
05-04-2011 09:40 AM
help anybody???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide