×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

I could really use a second set of eyes on this VPN config. :)

Unanswered Question
Apr 28th, 2012
User Badges:

Hi all,


I am attempting to setup a client -> server VPN using IOS 12.4, and Cisco Client 5.x. At this point, the client does connect, however, I cannot ping, or send / receive data over the VPN.  I am initially attempting a split-tunnel config, as they seem easier.  Ideally, the client would route *all* data over the VPN including that which is destined for the public network in the interest of safe browsing remotely.  However, I haven't got that far yet. 


Currently, I have a network setup as:


FastEthernet0/0 - Public network via DHCP from ISP.

FastEthernet0/1 - Internal network on the 192.168.1.0 /24 network.


I currently have a NAT overload on FastEthernet0/0 so that internal hosts can browse the Internet.  As mentioned, I would also like to have remote VPN hosts browse the Internet via this same overload.


Below is my config in full with some parts redacted.  Please let me know what I am doing wrong for this split-tunnel setup, and any suggestions to get this working in a non-split-tunnel way would be great.  I have been working on this for 2 days, and all the tutorials and guides I've read do not seem to work for me.


Thanks!


Trevor


--------------------------------------



!

! Last configuration change at 23:06:48 EDT Fri Apr 27 2012 by trevor

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec+



no service password-encryption

!

hostname myrouter

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 sometextsometextsometext

enable password somepassword

!

aaa new-model

aaa authentication login userauth local

aaa authorization network groupauth local

!

username vpnuser password 0 vpnpassword

!

!

clock timezone EST -5

clock summer-time EDT recurring

!

ip name-server 4.2.2.2

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! needed to enable resolutiion of the URLs in the update config commands

!

ip domain lookup

!

!

ip ddns update method mydomain_update

  http

   add http://login:[email protected]/nic/update?hostname=mydomain.dyndns.org&myip=[email protected]/nic/update?hostname=mydomain.dyndns.org&myip=<a>

  interval maximum 0 0 1440 0

  interval minimum 0 0 1440 0

!

!

! Applying update method to interface

!

!interface FastEthernet0/0

!  ip ddns update mydomain_update

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!

ip domain name mydomain.dyndns.org

!

!

username user privilege 15 secret 5 sometextsometextsometext

!

!

interface FastEthernet0/0

description *** Outside ***

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn-map

ip ddns update mydomain_update

!

!

interface FastEthernet0/1

description *** Inside ***

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Loopback0

description VPN

ip address 10.1.254.1 255.255.255.240

!

!

crypto isakmp policy 1

encryption aes

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key vpnpassword

dns 4.2.2.2 4.2.2.1

domain mydomain.dyndns.org

pool vpnpool

acl 101

!

crypto ipsec transform-set vpn esp-aes esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set vpn

reverse-route

!

crypto map vpn-map client authentication list userauth

crypto map vpn-map isakmp authorization list groupauth

crypto map vpn-map client configuration address respond

crypto map vpn-map 10 ipsec-isakmp dynamic dynmap

!

!

ip nat inside source list 10 interface FastEthernet0/0 overload

!

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255


!

!

!

ip local pool vpnpool 10.1.254.2 10.1.254.14

!

!radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key cisco

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

!

ntp clock-period 17208002

ntp server 142.137.247.109

!

end




--------------------------------------

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
trevorgeorgia Sun, 04/29/2012 - 08:54
User Badges:

Hi Andrew,


Thanks for the reply.  The only nat statement I have is the overload for the internal hosts on the 192.168.1.0/24 network to access the Internet.  Can you clarify?


I have updated access-list 101 to state:


access-list 101 deny 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255

access-list 101 permit 192.168.1.0 0.0.0.255 any

trevorgeorgia Sun, 04/29/2012 - 12:59
User Badges:

I apologize I'm thick here.  So, I need to remove the line I added on the access-list.  So access-list 101 would just be:


access-list 101 permit 192.168.1.0 0.0.0.255 any


Which should pass the split-tunneling route to the client.


I then need to add a line to prevent nat from occurring from my internal (192.168.1.0/24) network to the VPN network which is (10.1.254.0/24).  I would also need to add a  new access-list to that effect.  However, I should keep the existing nat line in order to ensure that internal nework machines can reach the public network so:


no ip nat inside source list 102 interface FastEthernet0/0 overload

ip nat inside source list 10 interface FastEthernet0/0 overload


access-list 102 permit 192.168.1.0 0.0.0.255 10.1.245.0 0.0.0.255


Is this correct?


Thanks again for your help!


Trevor

trevorgeorgia Sun, 04/29/2012 - 13:06
User Badges:

Actually, it would seem to be easier to make access-list 102 contain:


access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any


then delete the existing nat overload and do:


ip nat inside source list 102 interface fastethernet0/0 overload

trevorgeorgia Sun, 04/29/2012 - 13:14
User Badges:

Hmm.  Did not seem to work.  I still cannot ping the router's vpn interface / loopback (10.1.254.1) or any of the inside machines on the 192.168.1.0/24 network.

trevorgeorgia Sun, 04/29/2012 - 13:32
User Badges:

It seems that when I attempt to ping from 192.168.1.x to the vpn client's ip on the 10.1.254.0 network, the number of access-list hits on the rule access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.254.0 0.0.0.255 increment. 


However, when I attempt to ping from the remote client to the 192.168.1.x hosts the access-list hits on the rule access-list 102 permit ip 192.168.1.0 0.0.0.255 any increment.  Neither of which results in a successful ping.


access-list 101 which is assigned to the vpn has enver had a match from what I can see.

Actions

This Discussion

Related Content