Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS Tunnel ALL VPN Traffic to Host (is it possible?)

Hello,

Has anyone actually gotten an IOS VPN remote to terminate into a host router but allow internet traffic to go through this host router as well. Looking NOT to do split tunneling.

There is NAT on both routers. I can see the traffic being encrypted on the remote and decrypted on the host but then goes nowhere.

Seems like this should not be much of a problem but .......

Cisco TAC has not been very helpful and there seems to be nothing on CCO.

Any sample configs or advice would be greatly appreciated.

thanks

-pat

4 REPLIES
Cisco Employee

Re: IOS Tunnel ALL VPN Traffic to Host (is it possible?)

This would work in theory (in that the packets would be routed back out the same interface to the Internet), but is probably failing because your using private IP addresses and the host router is not NAT'ing them properly. The decrypted packets are probably getting sent out to the Internet, but aren't getting back to you correctly.

Let's say you have 10.1.1.0/24 behind your remote VPN router, tunnelling everything to the host router. From there you're assuming that the packet will be decrypted, NAT'd to a valid global address and go back out the same interface to the Internet.

Packets are only NAT'd in a router if they come in on an interface with a "ip nat inside" statement on it, and go out an interface with a "ip nat outside" statement on it. If your encrypted packets come in on one interface, get decrypted and then go back out the same interface, they're not going to be NAT'd, regardless of what your NAT configuration says.

If the encrypted packet comes in on one interface in the host router, gets decrypted and then sent out a different interface to go to the Internet, then just put "ip nat inside" on the crypto interface, and "ip nat outside" on the Internet interface and you should be OK.

If the packet has to come in and go out on the same interface, then your best bet is probably to NAT the traffic before it leaves the remote site. Set up the remote router to NAT everything as it goes out to a global IP address that you own, then change your crypto ACL to encrypt this NAT'd traffic (remember, NAT happens BEFORE encryption in a router). Then when the packets get to the host router they'll already have a valid global address and should be sent out to the Internet OK, and more importantly, they'll get routed back to you.

New Member

Re: IOS Tunnel ALL VPN Traffic to Host (is it possible?)

Hi and thanks for the detailed reply.

I do not have 2 interfaces. However I do have NAT going on both routers.

Here is the config of both the Host and the remote. When I ping this internet from the remote, The tunnnel will come up and I see the packets getting decypted on the host side. I aggree it is probably a NAT thing, but cannot figure it out.

-pat

Host:

Affordable_Fram#wr term

Building configuration...

Current configuration : 2320 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Affordable_Fram

!

logging buffered 4096 debugging

enable password ZA19RX

!

username coghlin_cns password 0 tryit789

username coghlin password 0 coghlin

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

ip name-server 2.20.24.13

!

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

!

!

!

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key test address 21.2.13.189 no-xauth

!

!

crypto ipsec transform-set remotesite esp-3des esp-md5-hmac

!

crypto map mymap 11 ipsec-isakmp

set peer 21.2.13.189

set transform-set remotesite

set pfs group2

match address 121

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface Ethernet0

ip address 21.2.13.188 255.255.255.192

ip nat outside

ip policy route-map nonat

half-duplex

crypto map mymap

!

interface FastEthernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip route-cache policy

no ip mroute-cache

speed auto

!

router eigrp 100

network 172.16.0.0

network 192.168.1.0

auto-summary

!

ip local pool ippool 172.16.30.1 172.16.30.254

ip nat inside source list 122 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21.2.13.129

no ip http server

no ip http secure-server

ip pim bidir-enable

!

!

!

ip access-list extended console

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended service

ip access-list extended timeout

ip access-list extended wins-servers

!

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 121 permit ip any 192.168.2.0 0.0.0.255

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 permit ip 1.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

route-map nonat permit 10

match ip address 130

set ip next-hop 1.1.1.2

!

radius-server authorization permit missing Service-Type

!

line con 0

line aux 0

line vty 0 4

password 7 11283B26341B180F0B3E393D

!

end

Affordable_Fram#

=========================================

Remote:

Router_B#wr term

Building configuration...

Current configuration : 1296 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router_B

!

enable password 7 04612A57561374

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key test address 21.2.13.188 no-xauth

!

!

crypto ipsec transform-set remotesite esp-3des esp-md5-hmac

!

crypto map mymap 11 ipsec-isakmp

set peer 21.2.13.188

set transform-set remotesite

set pfs group2

match address 120

!

!

!

!

interface Ethernet0

ip address 21.2.13.189 255.255.255.192

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

crypto map mymap

!

interface FastEthernet0

ip address 192.168.2.1 255.255.255.0

ip nat inside

speed auto

!

ip nat inside source list 130 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21.2.13.129

no ip http server

ip pim bidir-enable

!

!

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 any

access-list 130 deny ip any any

!

!

line con 0

line aux 0

line vty 0 4

password 7 11283B26341B180F0B3E393D

login

!

end

Router_B#

Cisco Employee

Re: IOS Tunnel ALL VPN Traffic to Host (is it possible?)

Actually on teh remote router you don't have any NAT turned on, cause you have :

ip nat inside source list 130 interface Ethernet0 overload

access-list 130 deny ip any any

so packets from the remote site are coming into the host router as 192.168.2.x, then they're again not being NAT'd on the Host router cause they come in and go out the same interface, so they're ending up on the Internet with a source address of 192.168.2.x, this will never get back to you.

Try changing the remote router to this:

int ethernet0

no crypto map

no access-list 120

access-list 120 permit ip host 21.2.13.189 any

no access-list 130

access-list 130 permit ip any any

int ethernet0

crypto map mymap

Because NAt happens before encryption, the packets will all be NAT'd to the ethernet0 interface, your crypto ACL then says to encrypt anything from the ethernet0 interface, so everything will be encrypted and sent to the host router. Assuming traffic with a source address of 21.2.13.189 will be routed back to you over the Internet, then this should work.

New Member

Re: IOS Tunnel ALL VPN Traffic to Host (is it possible?)

Thanks again for all your help.

This is interesting. I tried it and now I am getting:

00:04:11: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) dest_addr= 21.2.13.189, src_addr= 12.127.16.67, prot= 1

Do you think I need to make changes to my host router?

144
Views
0
Helpful
4
Replies