06-08-2009 06:30 AM - edited 02-21-2020 03:30 AM
Dear All,
When I connect to my company network via cisco vpn client, it successfully connects and all the required applications Runs BUT
Internet traffic stops, resulting, No Browsing, etc etc,,,
Please advise, whether I need to check vpn client's configuration or do I need to add something in my cisco 2811 router,
Regards,
Junaid
Solved! Go to Solution.
06-08-2009 01:25 PM
There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.
EasyVPN w/ Split Tunneling Sample:
VPN Client Public Internet On A Stick:
06-08-2009 01:25 PM
There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.
EasyVPN w/ Split Tunneling Sample:
VPN Client Public Internet On A Stick:
06-08-2009 11:52 PM
Hi,
you provided link of:
Router and VPN Client for Public Internet on a Stick Configuration Example
The author used some ip address which is not mentioned in the diagram,,, I found this kind of mistakes in so much examples,,
Can you please explain,,,
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
where is the 10.11.0.1 ???????
06-09-2009 01:07 AM
Sorry,,,
ITS WORKING FINE....
THANKS,,,
Junaid
06-09-2009 01:45 AM
Dear Junaid
In the hairpinning scenario the VPN client traffic arrives at the outside interface and exits using the same interface.
The Loopback is used because the Cisco Router's NAT feature requires (at least in old versions) to speciify the NAT inside and outside interfaces. So traffic from VPN clients is policy routed to the loopback interface (inside), which is then transted at the Internet interface (outside).
Regards
Farrukh
06-09-2009 05:51 AM
Dear Farrukh,
Thanks for your explanation,,
Regards,
Junaid
06-10-2009 12:51 AM
Dear,
I am currently using first method,, XAUTH AND SPLIT TUNNELING
I successfully connect to my network and at the same time internet runs on the remote pc,,, but,, remote PC unable to use resources inside my network
I have applied Cisco ASA 5510 very next to my router,, Servers are connected to its DMZ interface,,
DO i need to add NAT..
IF I add
ip nat inside (at inside interface)
and
ip nat outside (at outside interface) of the router,, and make an acl
access-list 160 permit ip any any
access-list 160 permit tcp any any
ip nat inside source list 160 interface fastethernet 0/1 overload
By adding these commands, My remote PC starts connecting with my internal network,, but its Internet service stops...
Please HELP
Regards,
Junaid
06-10-2009 06:01 AM
You need to change the ACL on the router, currently its going to Policy route/NAT all traffic from VPN clients out to the internet. Deny the Remote Site >> HQ subnets traffic from the ACL.
And of course you need to permit this in the ASA as well.
Regards
Farrukh
06-11-2009 08:04 PM
Dear Farrukh,
I am sending you Router configuration in this post and ASA configuration in next post, Please review it and Advise,
ROUTER CONFIG
-------------
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxChhf0
enable password xxxxxxx
aaa new-model
aaa authentication login userlist local
aaa authorization network vpnclient local
aaa session-id common
resource policy
memory-size iomem 15
clock timezone - 0 6
no ip source-route
ip cef
ip domain name millat.com.pk
ip name-server 10.16.6.11
ip name-server 10.16.7.12
voice-card 0
no dspfarm
username Junaid privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxtguY.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 192.168.1.17
wins 192.168.1.17
domain millat.com.pk
pool dynpool
acl 150
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
crypto map dynmap client authentication list userlist
crypto map dynmap isakmp authorization list vpnclient
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 192.168.74.1 255.255.255.0
ip access-group Internet in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1
ip address 55.55.55.55 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
ip local pool dynpool 192.168.74.150 192.168.74.254
ip route 0.0.0.0 0.0.0.0 55.55.55.57
ip route 192.168.1.0 255.255.255.0 192.168.74.2
ip route 192.168.2.0 255.255.255.0 192.168.74.2
ip route 192.168.3.0 255.255.255.0 192.168.74.2
ip route 192.168.4.0 255.255.255.0 192.168.74.2
ip route 192.168.5.0 255.255.255.0 192.168.74.2
ip route 192.168.6.0 255.255.255.0 192.168.74.2
ip route 192.168.7.0 255.255.255.0 192.168.74.2
ip route 192.168.8.0 255.255.255.0 192.168.74.2
ip route 192.168.9.0 255.255.255.0 192.168.74.2
ip route 192.168.10.0 255.255.255.0 192.168.74.2
ip route 192.168.11.0 255.255.255.0 192.168.74.2
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23
ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110
ip nat inside source list 160 interface FastEthernet0/1 overload
!
ip access-list extended Internet
permit ip host 10.16.6.11 any
permit ip host 10.16.7.12 any
permit tcp any any eq ftp
permit tcp any any eq smtp
permit tcp any any eq pop3
permit ip host 192.168.2.81 any
permit ip host 192.168.10.7 any
permit ip host 192.168.4.82 any
permit ip host 192.168.4.83 any
permit ip any host 66.241.216.167
permit ip host 192.168.11.11 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.74.0 0.0.0.255 any
permit ip 192.168.35.0 0.0.0.255 any
access-list 150 permit ip any any
access-list 150 permit tcp any any
access-list 160 permit ip any any
access-list 160 permit tcp any any
snmp-server community public RO
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
no cdp run
control-plane
line con 0
password sunroof
line aux 0
line vty 0 4
password Pajero
scheduler allocate 20000 1000
end
06-11-2009 08:10 PM
Here is ASA Configuration
-------------------------
ASA Version 7.0(7)
hostname MTL-ASA
domain-name millat.com.pk
enable password lRxxxxxxxxxxxNh encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.74.2 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.18 255.255.255.0
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.90.1 255.255.255.0
management-only
passwd lRxxxxxxxxxxxxNh encrypted
ftp mode passive
access-list outside_to_DMZ extended permit ip 192.168.74.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_to_DMZ extended permit tcp any any eq 3389
access-list outside_to_DMZ extended permit ip any any
access-list outside_to_DMZ extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255
access-group outside_to_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.74.1 1
route outside 55.55.55.57 255.255.255.248 192.168.74.1 1
route inside 192.168.11.0 255.255.255.0 192.168.20.2 1
route inside 192.168.9.0 255.255.255.0 192.168.20.2 1
route inside 192.168.8.0 255.255.255.0 192.168.20.2 1
route inside 192.168.7.0 255.255.255.0 192.168.20.2 1
route inside 192.168.6.0 255.255.255.0 192.168.20.2 1
route inside 192.168.5.0 255.255.255.0 192.168.20.2 1
route inside 192.168.4.0 255.255.255.0 192.168.20.2 1
route inside 192.168.10.0 255.255.255.0 192.168.20.2 1
route inside 192.168.2.0 255.255.255.0 192.168.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username Junaid password kxxxxxxxxxxxFs0 encrypted privilege 15
http server enable
http 192.168.90.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
service-policy global_policy global
Cryptochecksum:78xxxxxxxxxxxxxxxxxxcbd55f
: end
06-11-2009 08:12 PM
Dear Farrukh,
Please review above 2 posts, one containing router configuration and the second one contains ASA Config,
In this scenario, Remote VPN Client connects successfully but unable to use resources in the network,
At the same time, Remote Client's Internet service RUNS,,,
Please advise me,, what acl should i place and at which direction..
Regards,
Junaid
06-12-2009 09:53 PM
Change access-list 160 FROM:
access-list 160 permit ip any any
access-list 160 permit tcp any any
TO:
access-list 160 deny ip 192.168.74.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 160 permit ip any any
access-list 160 permit tcp any any
Also I would advise to remove this FROM the ASA as it is not required:
no static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255
Regards
Farrukh
06-13-2009 04:19 AM
Dear Farrukh,
In the crypto isakmp client configuration group vpnclient
I used acl 150,, which is not available in the configuration right now,,
Should I replace that ACL from 150 to 160,,
and the ACL 160 will be using for crypto and overload??
Please advise
Regards,
Junaid
06-13-2009 04:51 AM
No that is an alternate method to control this, but in the solution I proposed, you don't need to change anything in ACL 150.
Just change the ACL I mentioned and test (160). Alternatively you can use ACL 150 to control the split tunelling.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: