Router and VPN Client for Public Internet on a Stick issue

Answered Question
Jun 7th, 2010

I'm attempting to follow http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml  in order to allow VPN clients to receive their internet though the connection instead of split-tunneling. Internal resources are available but the internet does not work when a client is connected? It appears the VPN clients are not translating.

!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key keystring address x.x.x.x no-xauth
!
crypto isakmp client configuration group VPN-Users
key keystring
dns 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA
set pfs group1
match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
archive
log config
  hidekeys
!
!
controller T1 2/0
framing sf
linecode ami
!
ip ssh authentication-retries 2
!
!
!
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip access-group 104 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip policy route-map SDM_RMAP_1
duplex auto
speed auto
crypto map CLIENTMAP
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 10.0.0.1 255.255.240.0
ip access-group 105 in
ip verify unicast reverse-path
no ip unreachables
ip inspect SDM_LOW out
ip virtual-reassembly
shutdown
clock rate 2000000
crypto map CLIENTMAP
!
interface FastEthernet0/1
no ip address
no ip unreachables
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 enable
!
interface FastEthernet0/1.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip access-group 102 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 enable
!
interface FastEthernet0/1.10
description Guest Wireless Vlan
encapsulation dot1Q 100
ip address 172.16.100.1 255.255.255.0
ip access-group 110 out
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.50
description $Phones$
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0
ip virtual-reassembly
!
interface Serial0/1
no ip address
no ip unreachables
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
interface Serial1/0
no ip address
shutdown
!
interface BRI2/0
no ip address
ip virtual-reassembly
encapsulation hdlc
shutdown
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Loopback0
ip access-group 103 in
no ip unreachables
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.200.0 255.255.255.252 172.16.2.3
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout 900
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
logging origin-id hostname
logging 172.16.3.3
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   tcp any any range 1 chargen log
access-list 101 deny   tcp any any eq whois log
access-list 101 deny   tcp any any eq 93 log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any range exec 518 log
access-list 101 deny   tcp any any eq uucp log
access-list 101 permit ip any any
access-list 101 deny   ip 172.16.100.0 0.0.0.255 any log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny   ip host 255.255.255.255 any log
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 deny   ip 172.16.2.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.0.15.255 any
access-list 103 deny   ip 172.16.3.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=17
access-list 104 permit ip host 192.168.0.100 any
access-list 104 permit ip host 192.168.0.101 any
access-list 104 permit ip host 192.168.0.102 any
access-list 104 permit ip host 192.168.0.103 any
access-list 104 permit ip host 192.168.0.104 any
access-list 104 permit ip host 192.168.0.105 any
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit ip host 192.168.0.100 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.101 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.102 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.103 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.104 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.105 172.16.0.0 0.0.255.255
access-list 104 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit 41 any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 104 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit icmp any any echo
access-list 104 deny   icmp any any mask-request log
access-list 104 deny   icmp any any redirect log
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny   ip host 255.255.255.255 any log
access-list 104 deny   tcp any any range 6000 6063 log
access-list 104 deny   tcp any any eq 6667 log
access-list 104 deny   tcp any any range 12345 12346 log
access-list 104 deny   tcp any any eq 31337 log
access-list 104 deny   udp any any eq 2049 log
access-list 104 deny   udp any any eq 31337 log
access-list 104 deny   udp any any range 33400 34400 log
access-list 104 deny   ip any any log
access-list 105 remark SDM_ACL Category=17
access-list 105 permit ip host 192.168.0.100 any
access-list 105 permit ip host 192.168.0.101 any
access-list 105 permit ip host 192.168.0.102 any
access-list 105 permit ip host 192.168.0.103 any
access-list 105 permit ip host 192.168.0.104 any
access-list 105 permit ip host 192.168.0.105 any
access-list 105 permit ip host 192.168.0.100 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.101 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.102 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.103 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.104 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.105 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp any host 10.0.0.1 eq non500-isakmp
access-list 105 permit udp any host 10.0.0.1 eq isakmp
access-list 105 permit esp any host 10.0.0.1
access-list 105 permit ahp any host 10.0.0.1
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny   ip 172.16.2.0 0.0.0.255 any
access-list 105 deny   ip 192.168.0.0 0.0.0.255 any
access-list 105 deny   ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 110 deny   ip 172.16.2.0 0.0.0.255 any
access-list 110 deny   ip 172.16.3.0 0.0.0.255 any
access-list 110 permit ip any any
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.101
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.102
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.103
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.104
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.105
access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
snmp-server community public RO
ipv6 route ::/0 Tunnel0
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 150
set ip next-hop 192.168.100.2
!
route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.2

I have this problem too.
0 votes
Correct Answer by Todd Pula about 3 years 10 months ago

Based on my own lab testing, you can achieve this with and without policy routing.  You can either configure the policy route on the virtual template interface and direct the traffic towards the loopback where ip nat inside is enabled, or you can just configure ip nat inside on the virtual template interface and remove the policy routing.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration group VPN-Users
key cisco123
dns 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE

crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map CLIENTMAP

interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1

ip local pool VPN_POOL 192.168.0.100 192.168.0.105

ip nat inside source list 150 interface GigabitEthernet0/0 overload

access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.101
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.102
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.103
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.104
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.105
access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any

***************************************************************************************

Pro Inside global         Inside local          Outside local         Outside global
icmp 1.1.1.1:1            192.168.0.102:1       4.2.2.2:1             4.2.2.2:1

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
andrew.prince@m... Tue, 06/08/2010 - 04:09

You do not have a route-map to set the next hop ip address to the loopback interface for the VPN IP pool.

HTH>

Vindemiatrix Tue, 06/08/2010 - 04:34

Andrew,

How do you mean, I have the following:

"ip policy route-map SDM_RMAP_1" under f0/0

route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.2

interface Loopback0
ip address 192.168.100.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly

per the Cisco example they did not use the same network as the VPN_POOL clients. The example uses 192.186.1.0 for the clients and 10.11.0.x for the reverse map stuff. My understanding is the net-hop address doesn't actually exist but instead is a method to force the use of the loopback?

Please correct me where I'm wrong...


Vindemiatrix Tue, 06/08/2010 - 05:09

#set ip next-hop 192.168.100.1
% Warning: Next hop address is our address

I changed the route-map to look like the following but translations are not occuring and there is not internet for the VPN clients:

!
route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.1
!

andrew.prince@m... Tue, 06/08/2010 - 05:15

Very interesting - change it back to what it was previously

Then see if the ACL in the route map is actually being hit

Vindemiatrix Tue, 06/08/2010 - 05:24

#sh ip access-lists 150
Extended IP access list 150
    10 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100 (44 matches)
    20 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.101
    30 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.102
    40 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.103 (37 matches)
    50 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.104
    60 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.105
    70 permit ip 172.16.2.0 0.0.0.255 any (17723 matches)
    80 permit ip 172.16.3.0 0.0.0.255 any
    90 permit ip 192.168.0.0 0.0.0.255 any (608 matches)
    100 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255

Vindemiatrix Tue, 06/08/2010 - 07:40

Turned on terminal monitor and then debugging for access-list for 150 but didn't see anything which I find strange because the access-list shows hits.

#debug ip policy 150
Policy routing debugging is on for access list 150

Vindemiatrix Tue, 06/08/2010 - 07:55

I get a bunch of these but they're probably another issue.

Jun  8 14:49:12.792: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 366, policy rejected -- normal forwarding

Jun  8 14:49:16.788: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 366, policy rejected -- normal forwarding

Jun  8 14:49:18.312: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 328, policy rejected -- normal forwarding

When I try hitting the internet from a VPN client I get these and my client is .101, the source IPs are probably so volitele since it's a Wifi card.

Jun  8 14:49:46.217: IP: s=74.125.157.18 (FastEthernet0/0), d=192.168.0.101 (Virtual-Access2), len 40, policy rejected -- normal forwarding

Jun  8 14:49:51.850: IP: s=74.125.157.99 (FastEthernet0/0), d=192.168.0.101 (Virtual-Access2), len 40, policy rejected -- normal forwarding

andrew.prince@m... Tue, 06/08/2010 - 08:05

what about the traffic that originates from the VPN client - what is the output for that traffic in the debug?

Vindemiatrix Tue, 06/08/2010 - 08:38

Those were the only two items that were showing up... Should I do something to try to elict more messages?

Vindemiatrix Tue, 06/08/2010 - 08:48

I had tried browsing before but I also tried pinging external hosts such as Google and a few external DNS server and I still only recieved the two messages above...

andrew.prince@m... Tue, 06/08/2010 - 08:56

Connect a machine to the client - ping/browse etc

The while connected post the output of "show crypto ipsec sa"

Also open the vpn client up and look at the route details and post a screenshot

Vindemiatrix Tue, 06/08/2010 - 09:34

C3725#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CLIENTMAP, local addr X.X.X.X

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   current_peer Y.Y.Y.Y port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.31.12.0/255.255.255.0/0/0)

   current_peer Y.Y.Y.Y port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Serial0/0

    Crypto map tag: CLIENTMAP, local addr 10.0.0.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   current_peer Y.Y.Y.Y port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: Y.Y.Y.Y

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.31.12.0/255.255.255.0/0/0)

   current_peer Y.Y.Y.Y port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: Y.Y.Y.Y

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr X.X.X.X

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.0.103/255.255.255.255/0/0)

   current_peer 75.248.212.189 port 8611

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39

    #pkts decaps: 229, #pkts decrypt: 229, #pkts verify: 229

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: 75.248.212.189

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x1925F77B(421918587)

     inbound esp sas:

      spi: 0x5B8078B3(1535146163)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 19, flow_id: AIM-VPN/EPII-PLUS:19, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4556937/3476)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x1925F77B(421918587)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 20, flow_id: AIM-VPN/EPII-PLUS:20, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4556965/3476)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

C3725#

Todd Pula Tue, 06/08/2010 - 11:25

In your case you are using DVTI so the decapsulated packets will be  output on the virtual tunnel interface associated with your isakmp profile.  I would start by moving the policy route statement to the  virtual template interface.   I would also unnumber the virtual template interface using interface fa0/0.  This should get the traffic directed out towards the loopback where ip nat inside is configured. In the Internet path, I would not recommend referencing the same route-map in the ip nat inside source statement as used in the inbound policy routing configuration.  Instead configure an ACL and/or route-map specific to the NAT exemption process.  Let me know if you get stuck and I can try to mock this up quickly.

Vindemiatrix Tue, 06/08/2010 - 12:08

First I have gotten rid of the policy 10 and CLIENTMAP 1 as I am no longer connecting to a a remote site. Do I still need crypto ipsec profile IPSEC_PROFILE1? I'm kind of confused and I think the virtualtemplate stuff may be configured incorrectly even though I can still connect.

I am new to the virtual template stuff as SDM automagically added it last time I was in there, go figure.

If you could provide some pseudo example that would be great. I tried to understand what's going on but I think my configuration has gotten a bit wild when compared to the Cisco example.

Correct Answer
Todd Pula Tue, 06/08/2010 - 13:17

Based on my own lab testing, you can achieve this with and without policy routing.  You can either configure the policy route on the virtual template interface and direct the traffic towards the loopback where ip nat inside is enabled, or you can just configure ip nat inside on the virtual template interface and remove the policy routing.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration group VPN-Users
key cisco123
dns 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE

crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map CLIENTMAP

interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1

ip local pool VPN_POOL 192.168.0.100 192.168.0.105

ip nat inside source list 150 interface GigabitEthernet0/0 overload

access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.101
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.102
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.103
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.104
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.105
access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any

***************************************************************************************

Pro Inside global         Inside local          Outside local         Outside global
icmp 1.1.1.1:1            192.168.0.102:1       4.2.2.2:1             4.2.2.2:1

Vindemiatrix Tue, 06/08/2010 - 13:49

Placing the ip nat inside the VirtualTemplate1 worked.

Is there any benefit to using the loopback and policy route-map per the Cisco example verse the VirtualTemplate such as security, performance, etc?

Todd Pula Tue, 06/08/2010 - 13:57

Prior to VTI, the only option was to use policy routing and the looback in order to hook the traffic into the NAT process.  You can treat the virtual template as another logical interface on which you can configure ACLs, ZBFW, QoS, etc.  Performance should be the same.  Please rate this thread if you found it helpful so that others can benefit from the content.

Vindemiatrix Tue, 06/08/2010 - 14:09

Very cool, that's what I need to know before I got rid of the policy routing.

Maximilian.Scho... Fri, 06/14/2013 - 01:25

If i have two cisco ipsec vpn clients, is it possible that they can reach each other on (same or different subnets)?

jbaraona Thu, 05/03/2012 - 02:51

Hello Everybody.

Has anyone done this configuration using a L2L VPN instead of VPN Client?

thanks a lot for your help.

Best,

Jose

Actions

Login or Register to take actions

This Discussion

Posted June 7, 2010 at 8:55 PM
Stats:
Replies:25 Avg. Rating:5
Views:2791 Votes:0
Shares:0

Related Content

Discussions Leaderboard