VPN Split Tunnel with Nat

Unanswered Question
Jul 12th, 2010

Hi There,

I used SDM to setup a VPN server with split tunneling. The remote users can connect in fine and browse the internal network, and users at the HQ can get out to the internet fine. However, I have a public wifi subnet that also needs internet access, and they cannot get out to the internet unless I Nat their subnet. But doing this then prevents the remote VPN users from browsing the internal network.

Here's what I changed.

ORIGINAL (Remote VPN works, but Wifi subnet has no internet access)

ip route 172.16.55.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 10 remark SDM_ACL Category=16
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.1
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.2
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.3
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.4
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.5
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.6
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.7
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.8
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.9
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq bootpc
access-list 199 permit gre any any
access-list 199 permit esp any any
access-list 199 permit udp any eq isakmp any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit udp any any eq isakmp
access-list 199 permit tcp any any eq 1723
access-list 199 permit udp any any eq domain
access-list 199 permit tcp any any eq domain
access-list 199 deny   udp any any eq snmp
access-list 199 deny   tcp any any
access-list 199 deny   udp any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!

*************************************************************************************************

CHANGED TO THIS (Now the 172.16.55.0 & 172.16.56.0 networks have internet access, but the Remote VPN users cannot browse the 192.168.2.0 network)

!
ip local pool SDM_POOL_1 10.10.55.1 10.10.55.10
ip route 172.16.55.0 255.255.255.0 Ethernet0
ip route 172.16.56.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.254 222 interface Dialer1 222
ip nat inside source static tcp 192.168.2.254 221 interface Dialer1 221
ip nat inside source static tcp 192.168.2.254 220 interface Dialer1 220
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 10 remark SDM_ACL Category=16
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 172.16.55.0 0.0.0.255
access-list 10 permit 172.16.56.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.1
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.2
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.3
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.4
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.5
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.6
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.7
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.8
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.9
access-list 101 deny   ip 192.168.2.0 0.0.0.255 host 10.10.55.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 172.16.55.0 0.0.0.255 any
access-list 102 permit ip 172.16.56.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 199 permit tcp any any range 220 222
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq bootpc
access-list 199 permit gre any any
access-list 199 permit esp any any
access-list 199 permit udp any eq isakmp any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit udp any any eq isakmp
access-list 199 permit tcp any any eq 1723
access-list 199 permit udp any any eq domain
access-list 199 permit tcp any any eq domain
access-list 199 deny   udp any any eq snmp
access-list 199 deny   tcp any any
access-list 199 deny   udp any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101

Can someone tell me where I've gone wrong?

Thanks,

Keith

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Gervia Tue, 07/13/2010 - 05:50

You have overlapping nat statements:

ip nat inside source list 10 interface Dialer1 overload
ip  nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

You should put the entries from ACL 10 into access-list 101 (at the bottom) and remove these:

no ip nat inside source list 10 interface Dialer1 overload

no ip access-list standard 10

And then add the 2 lines to the bottom that were previously in ACL 10 so it looks something like this:


access-list  101 remark SDM_ACL Category=2
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.1
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.2
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.3
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.4
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.5
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.6
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.7
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.8
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.9
access-list 101 deny   ip 192.168.2.0  0.0.0.255 host 10.10.55.10
access-list 101 permit ip 192.168.2.0  0.0.0.255 any

access-list 101 permit  ip 172.16.55.0 0.0.0.255 any

access-list 101 permit ip 172.16.56.0 0.0.0.255 any

Should accomplish what you need.

--Jason

keithatwood Thu, 07/15/2010 - 14:18

Thanks Jason!

This worked perfectly. I see where i went wrong now.

Keith

Actions

This Discussion