Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using 3030 to protect wireless

I am running wireless off of the External Interface of our 3030. The External filter is permiting DHCP in/out to allow wireless clients to get an address. Clients are required to authenticate via VPN and when connected, no split tunneling is allowed. This works pretty well to protect our wireless segment.

The problem that I am having is that once the wireless client connects and opens a VPN tunnel, it writes a host route to the DHCP server pointing to the wireless segment. Once this is done, the client can not reach the DHCP server (which is also hosting other services) because all traffic should be traversing the tunnel. If the host route is manually deleted, everything works fine.

Is anyone aware of a workaround or a different configuration approach that would avoid this problem?

Thanks in advance for your comments.



Re: Using 3030 to protect wireless

Consider split-tunneling. Configure split-tunneling such that the traffic to the DHCP server is not encrypted and tunnelled but is sent in clear text and all other traffic is sent through the tunnel. I don't know what is creating the host route, the wireless client or the VPN client?

New Member

Re: Using 3030 to protect wireless

The host route to the DHCP server which points to the wireless segment does not appear on a "route print" statement until after the tunnel completes. In the VPN software log, I can see that it is being sent from the concentrator, or so I assume.

The split tunnel won't solve the larger problem for me. It would allow the wireless client to renew the DHCP lease via the wireless segement (the only traffic allowed through the concentrator without a tunnel is DHCP), and given that the DHCP server is also the Fileserver, clients can't get to the files.

I could hand out addresses for this group from the concentrator, but then our DDNS is not updated for those clients.

Somewhat of a catch 22. It seems like there should be a better way to do this.

CreatePlease login to create content