Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Mobile VPN / IOS / PBR issue

Having an issue trying to get the mobile vpn to work on 3825 ISR. Router itself has 2 connections to the Internet and is using PBR. I am trying to connect to the interface on the router that is not the default outbound int, it is the interface where the PBR traffic goes for internet connectivity.

My VPN connection comes up just fine but in the statistics I don't see any traffic being received.

I'm guessing this is an issue with the PBR.

If anyone has any advice that would be great. Below is a the relevant portions of my config

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW ntp

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW http

ip inspect name SDM_LOW gdoi

ip inspect name SDM_LOW isakmp

ip inspect name SDM_LOW ipsec-msft

ip inspect name SDM_LOW ssp

ip inspect name SDM_LOW pptp

ip inspect name SDM_LOW l2tp

ip inspect name SDM_LOW gtpv0

ip inspect name SDM_LOW gtpv1

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

crypto isakmp client configuration group VPN-Group

key **

dns 10.73.4.4

pool SDM_POOL_2

include-local-lan

max-users 1

netmask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA2

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

nterface GigabitEthernet0/0

Internal

ip address 10.160.0.3 255.255.255.0

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip policy route-map pbr-Internal

duplex auto

speed auto

media-type rj45

negotiation auto

no cdp enable

service-policy input mark-inbound

service-policy output shape-all

!

interface GigabitEthernet0/1

description Internet to Checkpoint FW

ip address 10.160.207.2 255.255.255.248

ip policy route-map Internal

duplex auto

speed auto

media-type rj45

negotiation auto

no cdp enable

!

interface FastEthernet0/3/0

switchport access vlan 144

no cdp enable

interface Vlan144

description Ext

ip address ********** 255.255.255.240

ip access-group 125 in

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

ntp disable

crypto map SDM_CMAP_1

ip local policy route-map internet-redirect-rmap

ip local pool SDM_POOL_2 192.168.5.3

ip classless

ip route 0.0.0.0 0.0.0.0 10.160.207.1

ip route 10.3.224.0 255.255.248.0 10.160.0.4

ip route 10.3.232.0 255.255.248.0 10.160.0.4

ip route 10.71.0.0 255.255.0.0 10.160.0.2

ip route 10.72.0.0 255.255.0.0 10.160.0.4

ip route 10.73.0.0 255.255.0.0 10.160.0.4

ip route 10.74.0.0 255.255.0.0 10.160.0.2

ip route 10.160.1.0 255.255.255.0 10.160.0.2

ip route 10.160.2.0 255.255.255.0 10.160.0.4

ip route 10.160.3.0 255.255.255.0 10.160.0.4

ip route 10.160.207.24 255.255.255.248 10.160.0.4

ip route 10.160.207.32 255.255.255.248 10.160.0.4

ip route 10.160.207.40 255.255.255.248 10.160.0.4

ip route 10.161.0.0 255.255.248.0 10.160.0.4

ip route 10.161.16.0 255.255.248.0 10.160.0.4

ip route 10.161.24.0 255.255.248.0 10.160.0.4

ip route 10.161.207.16 255.255.255.248 10.160.0.2

ip route 10.254.246.2 255.255.255.255 10.254.240.1

ip nat pool OutNat XXXX XXXX netmask 255.255.255.240

ip nat inside source route-map SDM_RMAP_1 pool OutNat overload

1 REPLY
Community Member

Re: Mobile VPN / IOS / PBR issue

Hello

I have similar problem - difference is just in using PPTP instead of VPN client but basicaly it is the same setup.

Simply ip local policy doesn't work when you have some encrypted traffic.

Can you post your configuration for the internet-redirect-rmap route map.

I have tried with match gre protocols and ports 1723 for pptp but it simply doesn't work so I am wondering is this even feasible on cisco router.

Dusan

156
Views
0
Helpful
1
Replies
CreatePlease to create content