11-16-2005 05:22 PM
Scenario:
Cisco software vpn client that terminates on a cisco 1760 router.
The VPN works fine right now. The client wants to get rid of spilt tunnel and wants all internet traffic to go through the 1760 it terminates on. I cant seem to make it work. Could someone please tell me what i need to change to make this happen. The clients would have to hair-pin out the same interface they terminate on. Below is the relevent config.
aaa new-model
!
!
aaa authentication login userauth local
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key **********
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group COMPANYvpn
key **********
dns 10.4.0.10
domain domain.com
pool ippool
acl 105
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group COMPANYvpn
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set COMPANYset esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 5
set transform-set COMPANYset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set COMPANYset
set isakmp-profile L2L
!
!
!
crypto map COMPANYmap 10 ipsec-isakmp dynamic dynmap
interface Serial0/0:0
ip nat outside
crypto map COMPANYmap
interface FastEthernet0/0.1
description Inside LAN Interface
encapsulation dot1Q 1 native
ip address 10.4.0.254 255.255.255.0
ip nat inside
ip local pool ippool 172.16.0.1 172.16.0.100
ip nat inside source route-map nonat interface Serial0/0:0 overload
access-list 102 deny ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 deny ip 10.4.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
access-list 102 permit ip 10.4.0.0 0.0.0.255 any
access-list 105 permit ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 105 permit ip 10.4.0.0 0.0.0.255 10.4.0.0 0.0.0.255
route-map nonat permit 102
11-16-2005 08:16 PM
a loopback interface is required for the nat inside.
e.g.
int loopback 1
ip address 1.1.1.1 255.255.255.0
no shut
ip nat inside
access-list 100 deny ip
access-list 100 permit ip
route-map policy-route permit 10
match ip address 100
set ip next-hop 1.1.1.2
interface Serial0/0:0
ip policy route-map policy-route
11-16-2005 09:02 PM
I tried adding the following to the router with no success. I was able to connect but it internet traffic still went out my gateway, not the routers.
int loopback 1
ip address 1.1.1.1 255.255.255.0
no shut
ip nat inside
access-list 100 deny ip 172.16.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
route-map policy-route permit 10
match ip address 100
set ip next-hop 1.1.1.2
interface Serial0/0:0
ip policy route-map policy-route
Was 100 ACL commands supposed to be applied to the 102 ACL? Like add those entries to the 102 ACL or is it supposed to be a completely different ACL. I tried it using a completely differnt ACL number.
Am i supposed to remove the "acl 105" statement from the crypto map?
In the 100 ACL, was 172.16.0.0/24 supposed to be denied from the 1.1.1.0/24 network, or the 10.4.0.0/24 network like it did it.
Do i need to add the 1.1.1.0/24 network to the NAT 102 ACL?
Sorry, i am not really understanding how this is going to make this work. Its above what i currently understand.
Thanks
11-16-2005 09:16 PM
crypto isakmp client configuration group COMPANYvpn
key **********
dns 10.4.0.10
domain domain.com
pool ippool
acl 105
the command "acl 105" needs to be removed.
11-17-2005 12:54 AM
Hi i did this yesterday and it works
access-l 160 permit ip 172.16.0.0 0.0.0.255 any
ip nat inside source list 160 interfaces0/0:0 overload
route-map foreinternet permit 10
match ip address 160
set interface Loopback1
interface Loopback1
ip address 10.1.1.1 255.255.255.252
ip nat inside
!
interface Serial0/0:0
ip nat outside
crypto map COMPANYmap
ip policy route-map foreinternet
crypto isakmp client configuration group COMPANYvpn
no acl 105
Try this, i got it working yesterday
Best regards Henrik
11-17-2005 12:46 PM
I have a question regarding the NAT statement. Is it possible to have 2 different NAT overload statements on the router? Or do i have to integrate this lookback network into my existing ACL which uses ACL 102.
I would like to just try this, but since is a production network, i cant start making changes till i get it right.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: