Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

881, IPSec, VPN Client, Internet Access, Loopback

Hi all,

I am trying to set up my 881 to do both, split-tunneling and tunneling of all data (including internet traffic) for client VPNs by using two different groups. (There are also some site-to-site VPNs). The split-tunneling seems to work fine so far, but I am having trouble with getting the other group to have internet access - I tried to follow this sample:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

I guess, I am doing something wrong in the access-lists. Any help would be very appreaciated! Thanks!

My Config:

Building configuration...

Current configuration : 6287 bytes

!

! Last configuration change at 21:02:26 CET Tue Dec 13 2011

! NVRAM config last updated at 21:46:04 CET Tue Dec 13 2011

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

!

hostname ###########

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

ip dhcp pool LAN

   network 10.10.12.0 255.255.255.0

   default-router 10.10.12.254

   dns-server 10.10.12.254

   lease 7

!        

!        

ip cef   

ip ddns update method myDDNS

HTTP    

  add http://###########:###########@members.dyndns.org/nic/update?system=dyndns&hostname=###########@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://###########:###########@members.dyndns.org/nic/update?system=dyndns&hostname=###########@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 28 0 0 0

!        

no ipv6 cef

!        

!        

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn ###########

!        

!        

username ########### password 0 ###########

!        

!        

!        

!        

!        

!        

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 5 

lifetime 28800

!        

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2 

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

crypto isakmp key ########### hostname ###########.dyndns.org no-xauth

!        

crypto isakmp client configuration group vpnsplit

key ###########

pool vpnsplitpool

acl 120 

!        

crypto isakmp client configuration group vpnall

key ###########

pool vpnallpool

!        

!        

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

!        

crypto dynamic-map dynmap 10

set transform-set vpn

reverse-route

!        

!        

!        

crypto map vpn client authentication list userauthen

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

crypto map vpn 5 ipsec-isakmp dynamic dynmap

crypto map vpn 10 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 101

crypto map vpn 20 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 102

crypto map vpn 30 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 103

crypto map vpn 40 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 104

crypto map vpn 50 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 105

crypto map vpn 60 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 106

crypto map vpn 70 ipsec-isakmp

set peer ###########.dyndns.org dynamic

set transform-set vpn

match address 107

!        

!        

!        

!        

!        

interface Loopback0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!        

interface FastEthernet0

!        

interface FastEthernet1

!        

interface FastEthernet2

!        

interface FastEthernet3

!        

interface FastEthernet4

description ### ADSL WAN PHYSICAL ###

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

no cdp enable

!        

interface Vlan1

description ### LAN LOGICAL ###

ip address 10.10.12.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!        

interface Dialer1

description ### ADSL WAN LOGICAL ###

ip ddns update hostname ###########.dyndns.org

ip ddns update myDDNS host members.dyndns.org

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

ip policy route-map vpn-client

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname ###########

ppp chap password 0 ###########

ppp pap sent-username ########### password 0 ###########

ppp ipcp dns request

no cdp enable

crypto map vpn

!        

ip local pool vpnsplitpool 192.168.1.1 192.168.1.254

ip local pool vpnallpool 192.168.2.1 192.168.2.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!        

!        

ip dns view default

dns forwarding source-interface Vlan1

ip dns server

ip nat inside source list 100 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!        

logging esm config

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.10.13.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.8.1.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.8.2.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 10.8.3.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny   ip 10.10.12.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit ip 10.10.12.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 102 permit ip 10.10.12.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 103 permit ip 10.10.12.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 104 permit ip 10.10.12.0 0.0.0.255 10.10.13.0 0.0.0.255

access-list 105 permit ip 10.10.12.0 0.0.0.255 10.8.1.0 0.0.0.255

access-list 106 permit ip 10.10.12.0 0.0.0.255 10.8.2.0 0.0.0.255

access-list 107 permit ip 10.10.12.0 0.0.0.255 10.8.3.0 0.0.0.255

access-list 120 permit ip 10.10.12.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 144 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 100 protocol ip permit

no cdp run

!        

!        

!        

!        

route-map vpn-client permit 10

match ip address 144

set ip next-hop 10.1.1.2

!        

!        

!        

control-plane

!        

!        

line con 0

exec-timeout 60 0

password ###########

logging synchronous

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

password ###########

logging synchronous

transport input telnet ssh

!        

ntp server 192.53.103.108

end

1 REPLY
Cisco Employee

881, IPSec, VPN Client, Internet Access, Loopback

892
Views
0
Helpful
1
Replies