Vpn to the internet

Answered Question
Aug 25th, 2010

Hi all,


Im having a cisco 877 configured so that i can vpn to it and access my lan equipment. This is all working fine..


but i also want to access the internet by my own provider when im connected..


I read something about vpn passthrough.. but no idea how to configure this..


Can anyone tell me how to to this?


Thanks

Correct Answer by praprama about 6 years 3 months ago

Hi,


The NAT config is here:


ip nat inside source list 100 interface Vlan10 overload
ip nat inside  source list 101 interface Vlan10 overload
!
no logging trap
access-list  100 permit ip any any
access-list 101 permit ip any host  172.16.252.240
access-list 101 permit ip any any


You will need to exempt traffic from and to the VPN clients from getting NATed. So please modify the access-lists 100 and 101 to look like below:


access-list  100 deny ip 172.16.250.0 0.0.0.255 172.16.252.0 0.0.0.255

access-list 100 permit ip any any


Let me know if this helps!!


Regards,

Prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
martinbuffleo Wed, 08/25/2010 - 08:04

Sounds like you talking about Split tunneling.


You laptop can access your LAN at the end of the VPN but access the WWW direct without using the VPN.

kennis1977 Wed, 08/25/2010 - 09:45

Ehh well.... i can access devices in my network but i cannot acces the internet... so not with the local gateway.. or with de vpn gateway..

and that is just what i want... i want to access the internet with the vpn gateway...


And i thought the split tunneling was for access the internet with the local gateway.. or im i wrong..?


Thanks again...

kennis1977 Thu, 08/26/2010 - 00:32

Hi,


yes this is the thing i was looking for... so i think the problem right now is that i don't have a ip nat inside on my loopback interface..


going to try this..and keep you posted..


Thanks

kennis1977 Mon, 09/13/2010 - 10:56

Hi,


Sorry for the delay..didn't found any time to try above.. till now..


However.. the config from the link is not working for me... it even do not respond when im trying to setup a vpn connection.


So.. perhaps you guys can tell me what i have to change on my existing vpn config,the one that is almost working fine

accept on one thing off course...(go to the internet from the routers location).


Here is my config.. i try to make a loopback interface also ip nat inside.. but is not working yet.. what did i do wrong..?


Thanks again..



version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 878
!
boot-start-marker
boot system tftp c870-advipservicesk9-mz.124-15.T5.bin 172.16.250.24
boot-end-marker
!
no logging buffered
enable secret 5 $1$03H7$859Xjir5RS63RH47ET8UI0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint entrust
enrollment terminal
revocation-check none
!
crypto pki trustpoint 878_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair 878_Certificate_RSAKey 512
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 4.2.2.5
ip name-server 62.58.50.5
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username blomk privilege 15 password 7 ******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key ******
dns 62.58.50.5 62.58.50.6
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!

!
crypto isakmp profile sdm-ike-profile-1
   match identity group vpn
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1

!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!

!
archive
log config
  hidekeys
!
!
controller DSL 0
line-term cpe
!
!
!
!
interface Loopback0
ip address 172.16.252.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description *** Port Outside ***
switchport access vlan 10
!
interface FastEthernet1
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet2
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet3
description *** Inside ***
switchport access vlan 11
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan11
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!

interface Vlan1
no ip address
!
interface Vlan11
description *** Inside ***
ip address 172.16.250.253 255.255.255.0
ip directed-broadcast 101
ip nat inside
ip virtual-reassembly

!
interface Vlan10
description *** Outside ***
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly

!

!
ip local pool SDM_POOL_1 172.16.252.240

ip forward-protocol nd
ip forward-protocol udp echo
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 100 interface Vlan10 overload
ip nat inside source static udp 172.16.250.255 7 interface Vlan11 7
ip nat inside source static tcp 172.16.250.24 3389 interface Vlan10 3389
ip nat inside source static udp 172.16.250.24 7 interface Vlan10 7
ip nat inside source static tcp 172.16.252.1 443 interface Vlan10 443
ip nat inside source static tcp 172.16.250.253 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.253 23 interface Vlan10 23
ip nat inside source static udp 172.16.250.231 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.231 7 interface Vlan10 7
!
ip access-list extended pass-vpn
remark vpn pass through
remark SDM_ACL Category=1
permit ip any any
!
no logging trap
!
access-list 100 permit ip any any
!
!
!
!
!
route-map VPN_CLIENT permit 10
set ip next-hop 192.168.1.1
!

!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
!

!

!
!

!
policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_7
gateway kennis
inservice
!
!

login-message "welkom!"
!
policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_4
gateway gateway_1
inservice
!
end

kennis1977 Thu, 10/21/2010 - 03:18

Hi all,


This config is still not working for access to the internet.. can nobody help me???


I did some research more.. and figure out that the perhaps the problem (or pretty much sure) is nat..

when the vpn is up and running and im trying to ping for example my dns ip address.. im getting

an nat translation failed (F).


So something is going wrong with attaching the vpn address to the loopback 0 i thing..

praprama Thu, 10/21/2010 - 06:27

Hi,


So here is what you need to have configured in your case.


Create an access-list of the following format:


access-list VPN_Internet permit ip 172.16.252.240 255.255.255.240 any


Here i am assumin your VPN pool is 172.16.252.240/28. next is to apply this onto the route-map you have created:


route-map VPN_CLIENT permit 10

match ip address VPN_Internet

set ip next hop 172.16.252.1


Now on your outside interface, apply this route-map:


interface Vlan10

ip policy route-map VPN_CLIENT


Now effectively we are redirecting all traffic from the VPN client to the Loppback interface we have. Now what needs to go to the LAN should be taken care of by the routing and the internet also should be taken care of as we already have "ip nat inside" on the loopback interface.


Let me know how this goes!!


Thanks and Regards,

Prapanch

kennis1977 Thu, 10/21/2010 - 10:11

Thanks for you're reply...


I tried to following settings:


However i don't see any failed nat translations anymore.. but still cannot access the internet..


Oh and.. i cannot insert "set ip next hop 172.16.252.1" because that's the loopback0 address..


Did i still do something wrong?


Thanks


no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 878
!
boot-start-marker
boot system tftp c870-advipservicesk9-mz.124-15.T5.bin 172.16.250.24
boot-end-marker
!
no logging buffered


!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint entrust
enrollment terminal
revocation-check none
!
crypto pki trustpoint 878_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair 878_Certificate_RSAKey 512
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 62.58.50.5
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!


!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key ********
dns 62.58.50.5 62.58.50.6
pool SDM_POOL_1
backup-gateway 172.16.252.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group vpn
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
  hidekeys
!
!
controller DSL 0
line-term cpe
!
!
!
!
interface Loopback0
ip address 172.16.252.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description *** Port Outside ***
switchport access vlan 10
!
interface FastEthernet1
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet2
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet3
description *** Inside ***
switchport access vlan 11
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan11
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Vlan11
description *** Inside ***
ip address 172.16.250.253 255.255.255.0
ip directed-broadcast 101
ip nat inside
no ip virtual-reassembly
!
interface Vlan10
description *** Outside ***
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN_Client
!
ip local pool SDM_POOL_1 172.16.252.240
ip forward-protocol nd
ip forward-protocol udp echo
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static udp 172.16.250.255 7 interface Vlan11 7
ip nat inside source static tcp 172.16.250.24 3389 interface Vlan10 3389
ip nat inside source static udp 172.16.250.24 7 interface Vlan10 7
ip nat inside source static tcp 172.16.252.1 443 interface Vlan10 443
ip nat inside source static tcp 172.16.250.253 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.253 23 interface Vlan10 23
ip nat inside source static udp 172.16.250.231 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.231 7 interface Vlan10 7
ip nat inside source list 100 interface Vlan10 overload
!
ip access-list extended pass-vpn
remark vpn pass through
remark SDM_ACL Category=1
permit ip any any
!
no logging trap
access-list 100 permit ip any any
access-list 101 permit ip any host 172.16.252.240
!
!
!
route-map VPN_Client permit 10
match ip address 101
set ip next-hop 172.16.252.1
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end


878#

kennis1977 Sat, 10/23/2010 - 03:53

Hi,


Ok.. so i dicide to rebuild the whole config again and then with the example from the internet link below:


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml#diag


Now i can't even connect with the vpnclient anymore..


When i do a Show crypto isakmp sa, don't see a thing...


When i do a debug crypto isakmp and then trying to connect to the router.. nothing!!


I don't get it anymore...


Is there still something wrong in config below????


Thanks again guys..


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 878
!
boot-start-marker
boot system tftp c870-advipservicesk9-mz.124-15.T5.bin 172.16.250.24
boot-end-marker
!
no logging buffered
enable secret 5 ********
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
dot11 syslog
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username blomk privilege 15 password 7 **********
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key ********
dns 62.58.50.5
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
controller DSL 0
line-term cpe
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description *** Port Outside ***
switchport access vlan 10
!
interface FastEthernet1
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet2
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet3
description *** Inside ***
switchport access vlan 11
!
interface Vlan1
no ip address
!
interface Vlan11
description *** Inside ***
ip address 172.16.250.253 255.255.255.0
ip directed-broadcast 101
ip nat inside
no ip virtual-reassembly
!
interface Vlan10
description *** Outside ***
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
!
ip local pool ippool 172.16.252.1 172.16.252.2
ip forward-protocol nd
ip forward-protocol udp echo
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static udp 172.16.250.255 7 interface Vlan11 7
ip nat inside source static tcp 172.16.250.24 3389 interface Vlan10 3389
ip nat inside source static udp 172.16.250.24 7 interface Vlan10 7
ip nat inside source static tcp 172.16.252.1 443 interface Vlan10 443
ip nat inside source static tcp 172.16.250.253 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.253 23 interface Vlan10 23
ip nat inside source static udp 172.16.250.231 161 interface Vlan10 161
ip nat inside source static tcp 172.16.250.231 7 interface Vlan10 7
ip nat inside source list 100 interface Vlan10 overload
ip nat inside source list 101 interface Vlan10 overload
!
no logging trap
access-list 100 permit ip any any
access-list 101 permit ip any host 172.16.252.240
access-list 101 permit ip any any
access-list 144 permit ip 172.16.252.0 0.0.0.255 any
!
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

878#

praprama Tue, 10/26/2010 - 09:15

Hey,


Sorry for getting back this late.


In the below config, the crypto map "clientmap" is not applied to any interface. Please apply it to VLAN10 and let me know if you are able to connect.


Also, when you are connected to the VPN and trying to ping something on the internet (say 4.2.2.2), please post the output of "show ip nat translation" from the router.


Let me know how it goes!!


Thanks and Regards,

Prapanch

kennis1977 Thu, 10/28/2010 - 07:32

Hi thanks again for you're reply...


So indeed i forgot the apply the command crypto map to the outside vlan... stupid..


So now i can connect again to the router Great!! and also i can reach the internet.... very great!!


The only thing right now.. is that i cannot access the local subnet anymore..


Is there also a solution for? so i can also reach my devices at the internal network? or...


Thanks....

Correct Answer
praprama Mon, 11/01/2010 - 08:52

Hi,


The NAT config is here:


ip nat inside source list 100 interface Vlan10 overload
ip nat inside  source list 101 interface Vlan10 overload
!
no logging trap
access-list  100 permit ip any any
access-list 101 permit ip any host  172.16.252.240
access-list 101 permit ip any any


You will need to exempt traffic from and to the VPN clients from getting NATed. So please modify the access-lists 100 and 101 to look like below:


access-list  100 deny ip 172.16.250.0 0.0.0.255 172.16.252.0 0.0.0.255

access-list 100 permit ip any any


Let me know if this helps!!


Regards,

Prapanch

kennis1977 Tue, 11/02/2010 - 08:24

Looks great!!! it's working now...


Thanks for you're reply.. and help...

Actions

This Discussion