09-05-2013 12:56 AM
Hi People
i want to ask , How to put all traffic throught VPN Server from easy vpn client.
I mean, that i have a vpn server at home , and if i connect to the vpn server from outside, to be with an IP addresse from my home .
there is the configuration till now. Where is the problem?
Router1#sh running-config
Building configuration...
Current configuration : 5744 bytes
!
! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1604488384
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1604488384
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1604488384
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363034 34383833 3834301E 170D3133 30383239 31313539
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36303434
38383338 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CD57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F
528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C74 862C2870 16E29F75
7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10
D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5
4A250203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141B1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 12301D06
03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300D0609
2A864886 F70D0101 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE
FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D8006 D53D9A43 CB400B54
CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 19A75403 9EF7251B
211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F
E43934FA 3D62EC90 8F37590B 618B0C
quit
ip source-route
!
!
!
!
ip dhcp pool CISCO
import all
network 192.168.1.0 255.255.255.0
dns-server 195.34.133.21 212.186.211.21
default-router 192.168.1.1
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209
!
!
username cska privilege 15 secret 5 $1$8j6G$2sMHqIxJX8MQU6vpr75gp1
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGR
key vpngroup
dns 212.186.211.21 195.34.133.21
wins 8.8.8.8
domain chello.at
pool SDM_POOL_1
acl 120
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGR
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
!
!
interface Loopback0
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface GigabitEthernet0
description Internet
mac-address 0023.5a03.b6a5
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 192.168.9.2 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool SDM_POOL_1 192.168.4.3 192.168.4.245
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 110 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389
ip nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389
ip nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21
ip nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21
ip nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390
ip nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390
ip nat inside source list 120 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 101 permit ip any any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq 3389
access-list 120 permit ip 192.168.4.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
privilege level 15
transport preferred ssh
transport input ssh
transport output all
!
thanks in advance
Solved! Go to Solution.
09-05-2013 01:01 AM
For that you have to make the following changes:
1) disable Split-Tunneling by removing the ACL from your client configuration-group.
2) Enable NAT for VPN-traffic by adding "ip nat inside" to your virtual-template and adding the client-network to the ACL that controls your PAT.
Edit: Theses are the changes to your config (also with a little clean-up):
crypto isakmp client configuration group VPNGR
no acl 120
!
interface Virtual-Template1 type tunnel
ip nat inside
!
no ip nat inside source list 120 interface GigabitEthernet0 overload
!
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
no access-list 120 permit ip 192.168.4.0 0.0.0.255 any
Sent from Cisco Technical Support iPad App
09-05-2013 01:01 AM
For that you have to make the following changes:
1) disable Split-Tunneling by removing the ACL from your client configuration-group.
2) Enable NAT for VPN-traffic by adding "ip nat inside" to your virtual-template and adding the client-network to the ACL that controls your PAT.
Edit: Theses are the changes to your config (also with a little clean-up):
crypto isakmp client configuration group VPNGR
no acl 120
!
interface Virtual-Template1 type tunnel
ip nat inside
!
no ip nat inside source list 120 interface GigabitEthernet0 overload
!
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
no access-list 120 permit ip 192.168.4.0 0.0.0.255 any
Sent from Cisco Technical Support iPad App
09-05-2013 02:07 AM
hi, Thanks
it works and i have internet access
but still when i connect from my phone with vpncilla i and type in google " what is my ip Address" is not my home outside address
09-05-2013 02:08 AM
and here is sh run
Router1#sh running-config
Building configuration...
Current configuration : 5710 bytes
!
! Last configuration change at 09:06:51 UTC Thu Sep 5 2013 by cska
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1604488384
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1604488384
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1604488384
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363034 34383833 3834301E 170D3133 30383239 31313539
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36303434
38383338 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CD57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F
528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C74 862C2870 16E29F75
7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10
D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5
4A250203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141B1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 12301D06
03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300D0609
2A864886 F70D0101 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE
FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D8006 D53D9A43 CB400B54
CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 19A75403 9EF7251B
211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F
E43934FA 3D62EC90 8F37590B 618B0C
quit
ip source-route
!
!
!
!
ip dhcp pool CISCO
import all
network 192.168.1.0 255.255.255.0
dns-server 195.34.133.21 212.186.211.21
default-router 192.168.1.1
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209
!
!
username cska privilege 15 secret 5 $1$8j6G$2sMHqIxJX8MQU6vpr75gp1
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGR
key vpngroup
dns 212.186.211.21 195.34.133.21
wins 8.8.8.8
domain chello.at
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGR
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
!
!
interface Loopback0
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface GigabitEthernet0
description Internet
mac-address 0023.5a03.b6a5
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 192.168.9.2 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool SDM_POOL_1 192.168.4.3 192.168.4.245
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 110 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389
ip nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389
ip nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21
ip nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21
ip nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390
ip nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 101 permit ip any any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
access-list 111 permit tcp any any eq 3389
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
privilege level 15
transport preferred ssh
transport input ssh
transport output all
!
end
09-05-2013 02:20 AM
sending all traffic through the tunnel is only a suggestion of the vpn-gateway to the vpn-client. With EasyVPN (the VPN implementation we are lokong at here) a cisco-client honors that suggestion and tunnels everything through the tunnel. A third-party client can ignore the suggestion and send internet-traffic directly to the internet. Often that can be controlled in the settings of the VPN-client. Perhaps you find an option there to switch to "tunnel all".
Sent from Cisco Technical Support iPad App
09-05-2013 11:13 AM
Thanks. It works
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide