05-18-2012 05:46 AM
Dear all,
We have a 1841 router with webvpn enable and split tunneling. That router is also connected to a second office using a VTI. We would like the webvpn remote clients (using anyconnect) accessing the remote office network through the VTI.
Office 1 network: 192.168.10.0
Office 2 (remote) network: 192.168.11.0
I think the webvpn setup with split tunneling is properly setup, however I don't know how to route packet from 192.168.60.0 (dhcp pool for webvpn client) to 192.168.11.0 network.
Is somebody have an idea ?
Regards,
Olivier
Router config:
interface Tunnel0
description VTI To office 2
ip address 192.168.50.1 255.255.255.0
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination 217.x.x.133
tunnel path-mtu-discovery
tunnel protection ipsec profile vti
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description To ADSL
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname x
ppp chap password 7 x
!
ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10
ip forward-protocol nd
!
ip nat inside source route-map IspADSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.11.0 255.255.255.0 192.168.50.2
!
logging esm config
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
route-map IspADSL permit 1
match ip address 10
match interface Dialer1
!
webvpn gateway GateSslAdsl
ip address 193.x.x.113 port 443
http-redirect port 80
ssl trustpoint xxx
inservice
!
webvpn context VpnSslAdsl
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "PoolVpnAdsl"
svc keep-client-installed
svc split dns "domain.dom"
svc split include 192.168.10.0 255.255.255.0
svc split include 192.168.11.0 255.255.255.0
svc dns-server primary 192.168.10.X
default-group-policy policy_1
aaa authentication list XauthRadius
gateway GateSslAdsl
inservice
Solved! Go to Solution.
05-18-2012 08:41 AM
Hi Olivier,
You need to change your ACL "10" to an extended ACL
"access-list 10 permit 192.168.10.0 0.0.0.255"
Please create an ACL 101 as show below.
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Remove this line: route-map IspADSL permit 1
Remove this line: match ip address 10
route-map IspADSL permit 1
match ip address 101
Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"
Please let me know, if this helps.
thanks
Message was edited by: Rizwan Mohamed
05-18-2012 08:41 AM
Hi Olivier,
You need to change your ACL "10" to an extended ACL
"access-list 10 permit 192.168.10.0 0.0.0.255"
Please create an ACL 101 as show below.
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Remove this line: route-map IspADSL permit 1
Remove this line: match ip address 10
route-map IspADSL permit 1
match ip address 101
Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"
Please let me know, if this helps.
thanks
Message was edited by: Rizwan Mohamed
05-19-2012 01:58 AM
Hi Mohamed,
It works perfectly Thanks.
A added the lines as you suggested :
access-list 110 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny ip any any
and replace the "match ip address 10" by "match ip address 110" in route-map IspADSL permit 1
I also add the line "ip route 192.168.60.0 255.255.255.0 192.168.50.1"
Thanks again,
Kind regards,
Olivier
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: