cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1131
Views
0
Helpful
2
Replies

webvpn split and VTI

Olivier Joly
Level 1
Level 1

Dear all,

We have a 1841 router with webvpn enable and split tunneling. That router is also connected to a second office using a VTI. We would like the webvpn remote clients (using anyconnect) accessing the remote office network through the VTI.

Office 1 network: 192.168.10.0

Office 2 (remote) network: 192.168.11.0

I think the webvpn setup with split tunneling is properly setup, however I don't know how to route packet from 192.168.60.0 (dhcp pool for webvpn client) to 192.168.11.0 network.

Is somebody have an idea ?

Regards,

Olivier

Router config:

interface Tunnel0

description VTI To office 2

ip address 192.168.50.1 255.255.255.0

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination 217.x.x.133

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname x

ppp chap password 7 x

!

ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10

ip forward-protocol nd

!

ip nat inside source route-map IspADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.11.0 255.255.255.0 192.168.50.2

!

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer1

!

webvpn gateway GateSslAdsl

ip address 193.x.x.113 port 443 

http-redirect port 80

ssl trustpoint xxx

inservice

!

webvpn context VpnSslAdsl

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "PoolVpnAdsl"

   svc keep-client-installed

   svc split dns "domain.dom"

   svc split include 192.168.10.0 255.255.255.0

   svc split include 192.168.11.0 255.255.255.0

   svc dns-server primary 192.168.10.X

default-group-policy policy_1

aaa authentication list XauthRadius

gateway GateSslAdsl

inservice

1 Accepted Solution

Accepted Solutions

rizwanr74
Level 7
Level 7

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

View solution in original post

2 Replies 2

rizwanr74
Level 7
Level 7

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

Hi Mohamed,

It works perfectly Thanks.

A added the lines as you suggested :

access-list 110 deny   ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 deny   ip any any

and replace the "match ip address 10" by "match ip address 110" in route-map IspADSL permit 1

I also add the line "ip route 192.168.60.0 255.255.255.0 192.168.50.1"

Thanks again,

Kind regards,

Olivier

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: