Re: Router (dyn IP) to PIX with Split Tunnel and PAT

ththeinze · ‎07-07-2003

Hello

I have a CISCO 801 to connect to the internet (dynamic IP).

The router is establishing a VPN-Tunnel to private LAN behind a PIX.

It works with authentication pre-share.

It works fine. But now I want access the internet like split tunnel option.

The router must do PAT for the clients behind router

to internet and no nat to LAN.

At the PIX I cannot define split-tunnel-option for

the router because i have no vpngroup for my router.

How can I handle it ?

Down there you can see a configuration like mine.

When debugging I can see that only traffic

to the private LAN is passed to the Tunnel (ACL 105).

All other traffic is not entering the tunnel (ACL 101).

But I get no response from Internet.

Please help me find the error !

Example configuration like mine:

--------------------------------

Official PIX-Internet-address xxxx

Client LAN (behind router) xx.xx.1.0 255.255.255.0

Private LAN (behind PIX) xx.xx.2.0 255.255.255.0

****** PIX *********

access-list 201 permit ip xx.xx.2.0 255.255.255.0 xx.xx.1.0 255.255.255.0

access-list 201 deny ip any any

crypto ipsec transform-set ras-router esp-3des esp-sha-hmac

crypto dynamic-map client 10 match address 201

crypto dynamic-map client 10 set transform-set ras-router

crypto dynamic-map client 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map vpn 1024 ipsec-isakmp dynamic client

crypto map vpn client authentication RAS

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

****** Router *******

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SecretKey address xxx

crypto ipsec transform-set to-LAN esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer 141.1.1.1

set transform-set to-LAN

match address 105

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer string 012345678 /* ISP-Phone-Number*/

dialer hold-queue 10

dialer-group 1

no cdp enable

ppp pap sent-username <ISP-Username> password xxxx

crypto map mymap

ip nat inside source list 101 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 101 deny ip any 10.10.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 105 deny ip any any

dialer-list 1 protocol ip permit

Stephan

nikhil_m · ‎07-11-2003

I really think this cannot be done!!

ththeinze · ‎07-20-2003

Why not ?

It works if I do an extended ping from the inside interface of my router.

Pinging an "outside-address" (e.g. 141.1.1.1) the router does PAT and i get a reply from the internet.

Pinging an "inside-address" he establishes the tunnel and I get a reply from my PIX (destination unreachable, as defined in the ACLs).

Pinging the internet also works when the tunnel is established.

But only from router's inside interface address.

Using a client behind the router it doesn't work.

I can see that the ACL for tunnel has hit counts from ping (deny), how it should be. But no hit counts in the ACL for NAT/PAT.

This means to me he doesn't process the ACLs in the order : "Check if packet is for tunnel, if not then NAT and send to internet".

Why does he do it from router's inside interface but not from client ?

############