Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1699
Views
0
Helpful
3
Replies

Allow internet traffic through the VPN via router to internet

cafernandezlo001
Level 1
Level 1

‎12-06-2011 06:02 AM

Hello,

I thought that the best option to do that in my Cisco 861 router, IOS v. 15.0 is to used NVI (Nat Virtual Interface) http://inetpro.org/wiki/IPSec:_Router_and_VPN_Client_for_Public_Internet_on_a_Stick_with_NVI

I tried the solution given in this page, but is does not work.

I give you the running-config for my router before and after the modifications proposed in this page, so you are able to help me.

Is there in other way to do that?

Thanks in advance!!

aaa new-model

!

!

aaa authentication login console local-case none

aaa authentication login remote local-case

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication enable default enable

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!        

crypto pki trustpoint TP-self-signed-181741940

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-181741940

revocation-check none

rsakeypair TP-self-signed-181741940

!

!

crypto pki certificate chain TP-self-signed-181741940

certificate self-signed 01

  3082023E ...

  ....

            quit

ip source-route

!

!

!

!        

ip cef

!

!

license udi pid CISCO861-K9 sn FCZ144590B9

!

!

username superUser privilege 15 password 7 password

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group groupIsakmp

key keyIsakmp

dns dns1 dns1

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group groupIsakmp

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-AES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

ip address 192.168.0.43 255.255.255.0

ip nat outside

changed to--->ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan10

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip nat inside

changed to--->ip nat enable

ip virtual-reassembly

!

ip local pool SDM_POOL_1 192.168.1.200 192.168.1.210

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

ip nat source list ACL_NAT interface FastEthernet0 overload

!

ip access-list extended ACEL_NAT

     !

     permit ip 192.168.1.0 0.0.0.255 any

!

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.100

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎12-07-2011 07:17 AM

Carlos,

If you had followed the example your config would be very differenet. The main part of the example you need to concentrate on is:-

ip nat source list ACL_NAT interface FastEthernet0/0 overload

!

ip access-list extended ACL_NAT

  !-- do not translate traffic between the VPN clients and the inside

  deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !-- translate the inside and the VPN clients for every other destination

  permit ip 192.168.1.0 0.0.0.255 any

  permit ip 192.168.2.0 0.0.0.255 any

!

You are missing

  !-- do not translate traffic between the VPN clients and the inside

  deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

In your case it should be

deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 - as you are using the 192.168.1.0/24 for your inside AND VPN pool.

Ideally your VPN Pool should be another IP Subnet to avoid this obvious confusion.

0 Helpful

cafernandezlo001
Level 1
Level 1
In response to andrew.prince

‎12-13-2011 02:37 PM

Thanks for your reply Andrew.

I didn't put this line because I also want that the VPN clients could access to the inside of the network. VPN clients are in the same IP subnet for that.

I want that a VPN client with IP 192.168.1.200 could access to the remote server IP 192.168.1.101 and using the router's default gateway also access to internet, because as you know, all the internet traffic in cliente side goes throught the VPN tunnel.

I believe that I have two options for this, split tunneling (less secure) and NVI.

Maybe there is an easy way to allow my client to use the router's default gateway, or some other options to have both, secure tunnel and internet in the client at the same time.

thanks in advance!!

0 Helpful

cafernandezlo001
Level 1
Level 1
In response to andrew.prince

‎02-28-2012 07:15 AM

more suggestions please??

0 Helpful
Customers Also Viewed These Support Documents