07-07-2003 04:06 AM - edited 02-20-2020 10:50 PM
Hello
I have a CISCO 801 to connect to the internet (dynamic IP).
The router is establishing a VPN-Tunnel to private LAN behind a PIX.
It works with authentication pre-share.
It works fine. But now I want access the internet like split tunnel option.
The router must do PAT for the clients behind router
to internet and no nat to LAN.
At the PIX I cannot define split-tunnel-option for
the router because i have no vpngroup for my router.
How can I handle it ?
Down there you can see a configuration like mine.
When debugging I can see that only traffic
to the private LAN is passed to the Tunnel (ACL 105).
All other traffic is not entering the tunnel (ACL 101).
But I get no response from Internet.
Please help me find the error !
Example configuration like mine:
--------------------------------
Official PIX-Internet-address xxxx
Client LAN (behind router) xx.xx.1.0 255.255.255.0
Private LAN (behind PIX) xx.xx.2.0 255.255.255.0
****** PIX *********
access-list 201 permit ip xx.xx.2.0 255.255.255.0 xx.xx.1.0 255.255.255.0
access-list 201 deny ip any any
crypto ipsec transform-set ras-router esp-3des esp-sha-hmac
crypto dynamic-map client 10 match address 201
crypto dynamic-map client 10 set transform-set ras-router
crypto dynamic-map client 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map vpn 1024 ipsec-isakmp dynamic client
crypto map vpn client authentication RAS
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
****** Router *******
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key SecretKey address xxx
crypto ipsec transform-set to-LAN esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
set peer 141.1.1.1
set transform-set to-LAN
match address 105
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer string 012345678 /* ISP-Phone-Number*/
dialer hold-queue 10
dialer-group 1
no cdp enable
ppp pap sent-username <ISP-Username> password xxxx
crypto map mymap
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 101 deny ip any 10.10.2.0 0.0.0.255
access-list 101 permit ip any any
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 deny ip any any
dialer-list 1 protocol ip permit
Stephan
07-11-2003 07:03 AM
I really think this cannot be done!!
07-20-2003 09:38 PM
Why not ?
It works if I do an extended ping from the inside interface of my router.
Pinging an "outside-address" (e.g. 141.1.1.1) the router does PAT and i get a reply from the internet.
Pinging an "inside-address" he establishes the tunnel and I get a reply from my PIX (destination unreachable, as defined in the ACLs).
Pinging the internet also works when the tunnel is established.
But only from router's inside interface address.
Using a client behind the router it doesn't work.
I can see that the ACL for tunnel has hit counts from ping (deny), how it should be. But no hit counts in the ACL for NAT/PAT.
This means to me he doesn't process the ACLs in the order : "Check if packet is for tunnel, if not then NAT and send to internet".
Why does he do it from router's inside interface but not from client ?
############
crypto map mymap 10 ipsec-isakmp
.
.
match address 105
ip nat inside source list 101 interface Dialer1 overload
access-list 101 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 permit ip any any
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 deny ip any any
############
Stephan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide