05-18-2012 05:46 AM
Dear all,
We have a 1841 router with webvpn enable and split tunneling. That router is also connected to a second office using a VTI. We would like the webvpn remote clients (using anyconnect) accessing the remote office network through the VTI.
Office 1 network: 192.168.10.0
Office 2 (remote) network: 192.168.11.0
I think the webvpn setup with split tunneling is properly setup, however I don't know how to route packet from 192.168.60.0 (dhcp pool for webvpn client) to 192.168.11.0 network.
Is somebody have an idea ?
Regards,
Olivier
Router config:
interface Tunnel0
description VTI To office 2
ip address 192.168.50.1 255.255.255.0
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination 217.x.x.133
tunnel path-mtu-discovery
tunnel protection ipsec profile vti
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description To ADSL
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname x
ppp chap password 7 x
!
ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10
ip forward-protocol nd
!
ip nat inside source route-map IspADSL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.11.0 255.255.255.0 192.168.50.2
!
logging esm config
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
route-map IspADSL permit 1
match ip address 10
match interface Dialer1
!
webvpn gateway GateSslAdsl
ip address 193.x.x.113 port 443
http-redirect port 80
ssl trustpoint xxx
inservice
!
webvpn context VpnSslAdsl
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "PoolVpnAdsl"
svc keep-client-installed
svc split dns "domain.dom"
svc split include 192.168.10.0 255.255.255.0
svc split include 192.168.11.0 255.255.255.0
svc dns-server primary 192.168.10.X
default-group-policy policy_1
aaa authentication list XauthRadius
gateway GateSslAdsl
inservice
Solved! Go to Solution.
05-18-2012 08:41 AM
Hi Olivier,
You need to change your ACL "10" to an extended ACL
"access-list 10 permit 192.168.10.0 0.0.0.255"
Please create an ACL 101 as show below.
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Remove this line: route-map IspADSL permit 1
Remove this line: match ip address 10
route-map IspADSL permit 1
match ip address 101
Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"
Please let me know, if this helps.
thanks
Message was edited by: Rizwan Mohamed
05-18-2012 08:41 AM
Hi Olivier,
You need to change your ACL "10" to an extended ACL
"access-list 10 permit 192.168.10.0 0.0.0.255"
Please create an ACL 101 as show below.
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Remove this line: route-map IspADSL permit 1
Remove this line: match ip address 10
route-map IspADSL permit 1
match ip address 101
Also, please make sure, you have a static route in place other end of VTI to push "192.168.60.0 0.0.0.255"
Please let me know, if this helps.
thanks
Message was edited by: Rizwan Mohamed
05-19-2012 01:58 AM
Hi Mohamed,
It works perfectly Thanks.
A added the lines as you suggested :
access-list 110 deny ip 192.168.60.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.11.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny ip any any
and replace the "match ip address 10" by "match ip address 110" in route-map IspADSL permit 1
I also add the line "ip route 192.168.60.0 255.255.255.0 192.168.50.1"
Thanks again,
Kind regards,
Olivier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide