01-25-2012 06:48 AM
Hi,
I have a new Easy VPN deployment and vpn traffic is working fine. I have defined split tunnels on the server and I can see that non-interesting traffic is directed out of the dialer interface on the remote router. However, when the VPN establishes it tears down all of the local NAT config and without NAT my remote's clients cant access the internet.
I have verified split tunneling with a tracert from the client, and sh ip nat trans is empty. The client is currently connected via Fast0
How can I get EasyVPN to configure NAT for non-tunelled traffic via Dial0?
Thanks in advance for any help
ip source-route
!
!
!
ip dhcp excluded-address 192.168.252.1 192.168.252.2
!
ip dhcp pool WIRED-Data
network 192.168.252.0 255.255.255.240
dns-server 192.168.1.246
domain-name mydomain.co.uk
default-router 192.168.252.1
!
!
ip cef
ip domain name mydomain.co.uk
ip multicast-routing
ip inspect tcp reassembly queue length 1024
ip inspect name fw_urlf http java-list 51 urlfilter timeout 30
ip urlfilter allow-mode on
ip urlfilter urlf-server-log
ip urlfilter truncate hostname
ip urlfilter server vendor websense hqipaddress
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "ATDT*98*1#" TIMEOUT 60 "CONNECT"
license udi pid CISCO881GW-GN-E-K9 sn ghgghghj
!
!
!
controller Cellular 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect acl 101
group 24hvan key mykey
mode network-extension
peer HQ.IP.AD.RESS
virtual-interface 1
username van1 password clientpassword
xauth userid mode local
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive
!
interface Vlan1
ip address 192.168.252.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
ppp chap hostname web
ppp chap password 0 web
ppp ipcp dns request
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
logging esm config
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.252.0 0.0.0.15
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip any 192.168.1.0 0.0.0.255
!
!
!
01-26-2012 02:38 AM
Rupert,
The doc is quite specific for this:
When an IPsec VPN tunnel is down, the NAT configuration works.
I have not tested this for a while so I'm not sure what the behavior will be in client mode since NAT interoperability is not supported in client mode.
I guess this is causing packets to leak out with private addressing to ISP network?
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide