Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting vpn clients access to windows shares and internet VIA cisco 871?

I'm trying to setup a home VPN using a 871. I can get clients to connect to the 871 and they can ssh, ftp, and ping to hosts that are on the inside of the 871, and vise versa. However, I can't get the vpn client to access a windows share that a machine on the inside of the 871 has setup. I also can't get the vpn client to have internet access THROUGH the 871; I want the traffic to go through the VPN tunnel, then out the 871's WAN port and back through the tunnel to the client, ie: i don't want to enable split-tunneling.

I've mostly configured the router with SDM. Is there something I'm missing that needs to be configured to allow these two things? Thanks in advance.

-Jason

17 REPLIES
Cisco Employee

Re: Getting vpn clients access to windows shares and internet VI

Windows networking over a VPN is always a bit of an issue, usually cause it was designed to run on a local network and uses multicasts/broadcast type packets, which won't go over a VPN. There's nothing specific you can do as far as the config on the 871 is concerned to make this work (other than make sure you're sending down the internal WINS server addresses). Make sure on each VPN client you set "Use Netbios over TCP/IP" under the TCP/IP properties under the LAN card (or modem), that should get you going.

Now, the problem with going to the Internet is a bit more difficult. Presumably your pool of VPN addresses is a private subnet. The reason VPN users can't browse to the Internet is that their VPN packets come in with a source addresses of one of those private IP addresses, but they then don't get NAT'd to a routable address because they come in and go out on the same interface. This interface (your outside int) presumably has "ip nat outside" configured on it, but for a packet to be NAT'd it needs to come in on an "ip nat inside" interface and go out a "ip nat outside" interface. For your VPN packets to be NAT'd they need to be policy routed through another interface with "ip nat inside" configured on it.

I haven't tested this (I've done it before for customers so it does work, just don't have a copy of it handy) but let's say you have the following:

ip local pool vpnpool 10.2.2.1 10.2.2.254

int ethernet 0

   ip address 10.1.1.1

   ip nat inside

int Serial0

   ip address 200.1.1.1

   ip nat outside

ip nat inside source list 100 interface Serial0 overload

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

then this says don't NAT the outbound traffic if it's going back to a VPN client. Traffic from your VPN client though will come in on Serial0 and if it's destined for the Internet, it'll go straight back out the Serial0 int, so it won't be NAT'd and so it's source address will still be 10.2.2.x. When this gets to say, www.google.com and the reply is sent, it'll get dropped at the first router on the way back. You need to route traffic from a VPN client, going to anything other than 10.1.1.0, thru another interface with an "ip nat inside" configured on it.

The following should work for you:

ip local pool vpnpool 10.2.2.1 10.2.2.254

int Loopback0

   description Dummy interface

   ip address 1.1.1.1 255.255.255.0

   ip nat inside

int ethernet 0

   ip address 10.1.1.1

   ip nat inside

int Serial0

   ip address 200.1.1.1

   ip nat outside

   ip policy route-map ToInternet

ip nat inside source list 100 interface Serial0 overload

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 150 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 150 permit ip 10.2.2.0 0.0.0.255 any

route-map ToInternet permit 10

   match ip address 150

   set ip next-hop 1.1.1.2

I *think* that'll work, although can't be sure without verifying it. This'll will certainly be closer to working than just the standard VPN config, and hopefully you can see the point I'm trying to get across.

New Member

Re: Getting vpn clients access to windows shares and internet VI

gfullage,

Thanks for the tips. I'll try them tonight when i get home. One question about the WINS server though, I'm not sure I have an 'internal' WINS server. This is just a little home network with basically on PC and one or two laptops behind the 871. What WINS server IP should I be sending to the VPN clients? I'm pretty sure I tried sending the 871's internal ip (192.168.1.1) and that didn't seem to help.

Also, about netbios over tcp/ip, I'm running XP on both windows machines (the vpn client and the one that has the share) and i just looked on the vpn client machine and it has (under the advanced tcp/ip settings, WINS tab) the 'default' setting chosen; to use netbios over tcp/ip if there is a static ip or the dhcp server doesn't provide a netbios setting, which i can't imagine that the 871 (dhcp server) is providing a netbios setting, so it should be tring to use netbios over tcp/ip.

I'll let you know how the internet use part works out when i get home tonight and try it.

Thanks again!

New Member

Re: Getting vpn clients access to windows shares and internet VI

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

clock timezone EST -5

clock summer-time EDT recurring last Sun Apr 2:00 last Sun Oct 2:00

ip subnet-zero

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.247

!

ip dhcp pool sdm-pool1

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

!

ip dhcp pool server_static_dhcp

host 192.168.1.105 255.255.255.0

client-identifier 0100.e04c.b9ad.66

client-name server

!

ip tcp synwait-time 10

ip vrf test-vrf

!

no ip bootp server

ip domain name domain.name

ip host server 192.168.1.105

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip ips sdf location flash:my-signatures.sdf

ip ips notify SDEE

!

!

!

crypto pki trustpoint TP-self-signed-4009856397

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4009856397

revocation-check none

rsakeypair TP-self-signed-4009856397

!

!

crypto pki certificate chain TP-self-signed-4009856397

certificate self-signed 01

quit

username cisco privilege 15 secret 5

username vpn_client privilege 0 password 7

!

!

!

crypto isakmp policy 1

encr aes 256

group 5

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

!

crypto isakmp client configuration group fruitpie_subnet_3

key

dns 24.25.5.150

wins 192.168.1.1

pool SDM_POOL_2

include-local-lan

!

!

crypto ipsec transform-set AES_256_ESP_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set AES_192_ESP_SHA esp-aes 192 esp-sha-hmac

crypto ipsec transform-set AES_128_ESP_SHA esp-aes esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set AES_256_ESP_SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

description dummy interface for vpn clients to access internet

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN$FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

ip route-cache flow

ip policy route-map vpn_to_internet

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_2 192.168.3.2 192.168.3.7

ip classless

!

ip dns server

ip dns spoofing

!

New Member

Re: Getting vpn clients access to windows shares and internet VI

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

ip access-list extended permit_lan_addresses

remark permit local lan and vpn addresses

remark SDM_ACL Category=1

remark permit local LAN IPs

permit ip 192.168.0.0 0.0.255.255 any

remark Default Deny

deny ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.3.2 any

access-list 101 permit ip host 192.168.3.3 any

access-list 101 permit ip host 192.168.3.4 any

access-list 101 permit ip host 192.168.3.5 any

access-list 101 permit ip host 192.168.3.6 any

access-list 101 permit ip host 192.168.3.7 any

access-list 101 permit ip 192.168.3.0 0.0.0.7 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit udp host 24.25.4.108 eq domain any

access-list 101 permit udp host 24.25.4.107 eq domain any

access-list 101 remark Auto generated by SDM for NTP (123) 129.6.15.28

access-list 101 permit udp host 129.6.15.28 eq ntp any eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) 129.6.15.29

access-list 101 permit udp host 129.6.15.29 eq ntp any eq ntp

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 remark NAT acl map - defines what traffic gets NAT'd

access-list 103 remark SDM_ACL Category=2

access-list 103 deny ip any host 192.168.3.2

access-list 103 deny ip any host 192.168.3.3

access-list 103 deny ip any host 192.168.3.4

access-list 103 deny ip any host 192.168.3.5

access-list 103 deny ip any host 192.168.3.6

access-list 103 deny ip any host 192.168.3.7

access-list 103 deny ip any 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 remark nat from vpn clients to internet

access-list 103 permit ip 192.168.3.0 0.0.0.255 any

access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.1.0 0.0.0.7 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 103

!

route-map vpn_to_internet permit 10

match ip address 150

set interface Loopback0

!

New Member

Re: Getting vpn clients access to windows shares and internet VI

No go. Rats...here's the config i tried.....

any more ideas? Did i not config something right according to the suggestion?

-Jason

C871#sh run

Building configuration...

Current configuration : 11725 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname c871

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

enable secret 5

!

New Member

Re: Getting vpn clients access to windows shares and internet VI

gfullage,

This is really well explained and I got it working with one catch - I'm not getting any DNS responses to browse by domain name, but I can browse through the tunnel by IP and also access the private lan with no problems so I know I'm close! Can you look at my latest post with my config and suggest why DNS isn't working through the tunnel?

Read here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddec444

Thanks in advance,

Jay.

Bronze

Re: Getting vpn clients access to windows shares and internet VI

Hi Jason,

I would like to add a minor point to what gfullage said, instead of using "set ip next hop" in route, I would suggest to use :

set interface lo0

Thanks

aashish C

New Member

Re: Getting vpn clients access to windows shares and internet VI

Gulfage,

I did some more poking around with the loopback and route-map suggestion you made, and it appears now that I can ping internet hosts from my vpn client! Thanks! However, I still can't seem to really do anything productive with an internet host as it appears that though the NAT mappings are being setup properly (from a show ip nat translations) the return packets are being droped by my default 'deny ip any any' firewall statement. Clients that are on VLAN 1 are able to connect to internet hosts fine, so it's weird that the NAT entries for the vpn clients aren't behaving the same way. Any ideas? Thanks again for the insight about the loopback and route-map!

-Jason

New Member

Re: Getting vpn clients access to windows shares and internet VI

I'm working on the same issue. I tried the route-map and loopback suggestion listed previously and got the same results . The client can ping external hosts but cannot do anything else. The deny rule on the outside interface is blocking the response from the external web server, but why isn't the inspection rule on the outside interface allowing the response to go through?

New Member

Re: Getting vpn clients access to windows shares and internet VI

I am experiencing a *very* similar issue. Cisco VPN client connecting to EZVPN server on a 2821.

With the configuration detailed earlier in this thread (PBR), NAT works & I can get out to Internet hosts & back from VPN clients with ICMP & UDP, but TCP gets lost somewhere.

I don't see hits on the outside interface deny rule like the previous poster. I suspect the ipnsection engine is the issue but debug ip inspect doesn't show anything of great interest.

Did anyone find a solid solution to the issue identified by the author of this thread?

New Member

Re: Getting vpn clients access to windows shares and internet VI

No, i still haven't found a solution. I haven't been giving much time to it since, well i guess it's been over a year now. wow. I sure wish I could get this to work.

New Member

Re: Getting vpn clients access to windows shares and internet VI

So I've actually gotten most things to work now. Since the last time I tried looking at this they've added the 'virtual tunnel interface' and 'templates' which, after starting from scratch have seemed to work for everything except the windows shares.

I can have my Mother-in-law vpn in and she can get internet access out through my 871 and see machines on my local lan (we do windows remote assistance this way, it still doesn't seem to want to work when both ppl are behind NATs).

So i've gotten everything working except the windows shares, and that arguably will be the most benificial if i can get working.....secure windows share access over the VPN. When i get home and can copy my config i'll post it to see if anyone can find something that might help w/ the windows shares....

New Member

Re: Getting vpn clients access to windows shares and internet VI

jamarkle,

This is a really great thread, that loopback method is really easy to understand and it nearly works for me except I'm not getting dns resolution through the tunnel... Can you make a recommendation as to why mine's not resolving but I can surf by IP? At least I know my access lists are functioning and allowing/disallowing nat where needed - at least I think? My post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddec444

Can I see your latest config? Maybe it will help me through this issue...

Thanks,

Jay.

New Member

Re: Getting vpn clients access to windows shares and internet VI

Jay,

When i get home tonight i'll try and remember to post my config. The thing i remember changing to get dns resolution to work was to have the 871 be a dns server and a 'spoofer', ie

ip dns server

ip dns spoofing

(I think these are the two CLI that turn them on).

I had remembered having these turned on before and it not working, but like i said, this is what i remember turning on after i started from scratch that got the DNS resolution working for the remotely connected clients.

New Member

Re: Getting vpn clients access to windows shares and internet VI

Thanks, I'd really like to see your example... I read about, and messed with the dns spoofing but haven't had any luck yet. I was wondering if the only DNS server you had access to was at your ISP like my situation. It really just seems like maybe the dns responses coming from the outside interface are not being encrypted to the tunnel or something like that... Waiting for your reply, and thanks again... Jay.

New Member

Re: Getting vpn clients access to windows shares and internet VI

Here's a scrubbed version of my currently working config. Hopefully i didn't miss any personal info. :)

Like i said, clients can vpn in and get out to the internet through my 871 while also accessing the local lan, save for windows shared drives.

New Member

Re: Getting vpn clients access to windows shares and internet VI

Hi,

Thank you for your config! I would love to tell you that it helped solve the problem, but I was already configured virtually identically to you...

What ended up magically fixing it and allowing everything to work was finally figuring out what else is needed when you have cef running... Turns out that I didn't have the route-cache and mroute-cache disabled on the outside interface, and as soon as I put in the commands everything started flowing... In fact, either cef or the dns service added these empty access lists right after I changed the route-cache so I know the router is nice and happy now:

ip access-list extended UNKNOWN

ip access-list extended addr-pool

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended timeout

ip access-list extended tunnel-password

ip access-list extended wins-servers

It was pretty weird to see them show up in the config by themselves, I don't think my SOHO 91 has ever acted so normally all by itself! I checked cpu usage while I was connected and surfing and it was less than 20%, and that's with my son doing online gaming at the same time, so I'm pretty happy with the performance from my old SOHO91...

So anyway, I wanted to thank you for your help, and I also atteched my working config in case you or anyone else with these problems want to see it.

By the way, in regards to using windows shares, I haven't tried too much yet, but I believe that a WINS server is needed inside the lan and you might also have to set your network connection to use netbios over tcp. At least that's what I've read here and there. I have a testbed Server 2003 box, so I plan on turning on WINS and seeing what happens - hopefully it functions for machines that aren't logged in to the domain within the lan, we'll see... Oh, and don't forget udp and tcp ports 138 and 139, and tcp 445, those are also required from what I understand....

Oh, and lastly, there is a "Public Internet On A Stick" guide that depicts what we're doing, but I didn't find it until just the other day - probably might have helped!

Here: http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Take care, and thanks again!

Jay.

210
Views
10
Helpful
17
Replies
CreatePlease to create content