I am running wireless off of the External Interface of our 3030. The External filter is permiting DHCP in/out to allow wireless clients to get an address. Clients are required to authenticate via VPN and when connected, no split tunneling is allowed. This works pretty well to protect our wireless segment.
The problem that I am having is that once the wireless client connects and opens a VPN tunnel, it writes a host route to the DHCP server pointing to the wireless segment. Once this is done, the client can not reach the DHCP server (which is also hosting other services) because all traffic should be traversing the tunnel. If the host route is manually deleted, everything works fine.
Is anyone aware of a workaround or a different configuration approach that would avoid this problem?
Consider split-tunneling. Configure split-tunneling such that the traffic to the DHCP server is not encrypted and tunnelled but is sent in clear text and all other traffic is sent through the tunnel. I don't know what is creating the host route, the wireless client or the VPN client?
The host route to the DHCP server which points to the wireless segment does not appear on a "route print" statement until after the tunnel completes. In the VPN software log, I can see that it is being sent from the concentrator, or so I assume.
The split tunnel won't solve the larger problem for me. It would allow the wireless client to renew the DHCP lease via the wireless segement (the only traffic allowed through the concentrator without a tunnel is DHCP), and given that the DHCP server is also the Fileserver, clients can't get to the files.
I could hand out addresses for this group from the concentrator, but then our DDNS is not updated for those clients.
Somewhat of a catch 22. It seems like there should be a better way to do this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :