Easy VPN remote (NEM) split tunnel NAT issue

rupertsedgwick · ‎01-25-2012

Hi,

I have a new Easy VPN deployment and vpn traffic is working fine. I have defined split tunnels on the server and I can see that non-interesting traffic is directed out of the dialer interface on the remote router. However, when the VPN establishes it tears down all of the local NAT config and without NAT my remote's clients cant access the internet.

I have verified split tunneling with a tracert from the client, and sh ip nat trans is empty. The client is currently connected via Fast0

How can I get EasyVPN to configure NAT for non-tunelled traffic via Dial0?

Thanks in advance for any help

ip source-route
!
!
!
ip dhcp excluded-address 192.168.252.1 192.168.252.2
!
ip dhcp pool WIRED-Data
   network 192.168.252.0 255.255.255.240
   dns-server 192.168.1.246
   domain-name mydomain.co.uk
   default-router 192.168.252.1
!
!
ip cef
ip domain name mydomain.co.uk
ip multicast-routing
ip inspect tcp reassembly queue length 1024
ip inspect name fw_urlf http java-list 51 urlfilter timeout 30
ip urlfilter allow-mode on
ip urlfilter urlf-server-log
ip urlfilter truncate hostname
ip urlfilter server vendor websense hqipaddress
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "ATDT*98*1#" TIMEOUT 60 "CONNECT"
license udi pid CISCO881GW-GN-E-K9 sn ghgghghj
!

!
!
controller Cellular 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect acl 101
group 24hvan key mykey
mode network-extension
peer HQ.IP.AD.RESS
virtual-interface 1
username van1 password clientpassword
xauth userid mode local
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive
!
interface Vlan1
ip address 192.168.252.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
ppp chap hostname web
ppp chap password 0 web
ppp ipcp dns request
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
logging esm config
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.252.0 0.0.0.15
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip any 192.168.1.0 0.0.0.255
!
!
!

Marcin Latosiewicz · ‎01-26-2012

Rupert,

The doc is quite specific for this:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-0m/sec-easy-vpn-rem.html#GUID-40E16F04-6000-4FC4-B9D1-2809F42292A5

 When an IPsec VPN tunnel is down, the NAT configuration works.

I have not tested this for a while so I'm not sure what the behavior will be in client mode since NAT interoperability is not supported in client mode.

I guess this is causing packets to leak out with private addressing to ISP network?

M.