webvpn split and VTI

Answered Question
May 18th, 2012

Dear all,

We have a 1841 router with webvpn enable and split tunneling. That router is also connected to a second office using a VTI. We would like the webvpn remote clients (using anyconnect) accessing the remote office network through the VTI.

Office 1 network: 192.168.10.0

Office 2 (remote) network: 192.168.11.0

I think the webvpn setup with split tunneling is properly setup, however I don't know how to route packet from 192.168.60.0 (dhcp pool for webvpn client) to 192.168.11.0 network.

Is somebody have an idea ?

Regards,

Olivier

Router config:

interface Tunnel0

description VTI To office 2

ip address 192.168.50.1 255.255.255.0

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination 217.x.x.133

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname x

ppp chap password 7 x

!

ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10

ip forward-protocol nd

!

ip nat inside source route-map IspADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.11.0 255.255.255.0 192.168.50.2

!

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer1

!

webvpn gateway GateSslAdsl

ip address 193.x.x.113 port 443 

http-redirect port 80

ssl trustpoint xxx

inservice

!

webvpn context VpnSslAdsl

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "PoolVpnAdsl"

   svc keep-client-installed

   svc split dns "domain.dom"

   svc split include 192.168.10.0 255.255.255.0

   svc split include 192.168.11.0 255.255.255.0

   svc dns-server primary 192.168.10.X

default-group-policy policy_1

aaa authentication list XauthRadius

gateway GateSslAdsl

inservice

I have this problem too.
0 votes
Correct Answer by rizwanr74 about 1 year 11 months ago

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
rizwanr74 Fri, 05/18/2012 - 08:41

Hi Olivier,

You need to change your ACL "10" to an extended ACL

"access-list 10 permit 192.168.10.0 0.0.0.255"

Please create an ACL 101 as show below.

access-list 101 deny ip 192.168.60.0 0.0.0.255  192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255  192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Remove this line:  route-map IspADSL permit 1

Remove this line:  match ip address 10

route-map IspADSL permit 1

match ip address 101

Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"

Please let me know, if this helps.

thanks

Message was edited by: Rizwan Mohamed

poleyr Sat, 05/19/2012 - 01:58

Hi Mohamed,

It works perfectly Thanks.

A added the lines as you suggested :

access-list 110 deny   ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 deny   ip any any

and replace the "match ip address 10" by "match ip address 110" in route-map IspADSL permit 1

I also add the line "ip route 192.168.60.0 255.255.255.0 192.168.50.1"

Thanks again,

Kind regards,

Olivier

Actions

Login or Register to take actions

This Discussion

Posted May 18, 2012 at 5:46 AM
Stats:
Replies:2 Avg. Rating:5
Views:570 Votes:0
Shares:0

Related Content

Discussions Leaderboard