Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
5
Replies

No split-tunnel for software vpn termination on cisco IOS router

jeffdanderson
Level 1
Level 1

‎11-16-2005 05:22 PM

Scenario:

Cisco software vpn client that terminates on a cisco 1760 router.

The VPN works fine right now. The client wants to get rid of spilt tunnel and wants all internet traffic to go through the 1760 it terminates on. I cant seem to make it work. Could someone please tell me what i need to change to make this happen. The clients would have to hair-pin out the same interface they terminate on. Below is the relevent config.

aaa new-model

!

!

aaa authentication login userauth local

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key **********

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group COMPANYvpn

key **********

dns 10.4.0.10

domain domain.com

pool ippool

acl 105

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

crypto isakmp profile VPNclient

description VPN clients profile

match identity group COMPANYvpn

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set COMPANYset esp-3des esp-sha-hmac

!

!

crypto dynamic-map dynmap 5

set transform-set COMPANYset

set isakmp-profile VPNclient

reverse-route

crypto dynamic-map dynmap 10

set transform-set COMPANYset

set isakmp-profile L2L

!

!

!

crypto map COMPANYmap 10 ipsec-isakmp dynamic dynmap

interface Serial0/0:0

ip nat outside

crypto map COMPANYmap

interface FastEthernet0/0.1

description Inside LAN Interface

encapsulation dot1Q 1 native

ip address 10.4.0.254 255.255.255.0

ip nat inside

ip local pool ippool 172.16.0.1 172.16.0.100

ip nat inside source route-map nonat interface Serial0/0:0 overload

access-list 102 deny ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 deny ip 10.4.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 172.16.0.0 0.0.0.255 any

access-list 102 permit ip 10.4.0.0 0.0.0.255 any

access-list 105 permit ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 105 permit ip 10.4.0.0 0.0.0.255 10.4.0.0 0.0.0.255

route-map nonat permit 102

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎11-16-2005 08:16 PM

a loopback interface is required for the nat inside.

e.g.

int loopback 1

ip address 1.1.1.1 255.255.255.0

no shut

ip nat inside

access-list 100 deny ip

access-list 100 permit ip any

route-map policy-route permit 10

match ip address 100

set ip next-hop 1.1.1.2

interface Serial0/0:0

ip policy route-map policy-route

0 Helpful

jeffdanderson
Level 1
Level 1
In response to jackko

‎11-16-2005 09:02 PM

I tried adding the following to the router with no success. I was able to connect but it internet traffic still went out my gateway, not the routers.

int loopback 1

ip address 1.1.1.1 255.255.255.0

no shut

ip nat inside

access-list 100 deny ip 172.16.0.0 0.0.0.255 10.4.0.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.0.255 any

route-map policy-route permit 10

match ip address 100

set ip next-hop 1.1.1.2

interface Serial0/0:0

ip policy route-map policy-route

Was 100 ACL commands supposed to be applied to the 102 ACL? Like add those entries to the 102 ACL or is it supposed to be a completely different ACL. I tried it using a completely differnt ACL number.

Am i supposed to remove the "acl 105" statement from the crypto map?

In the 100 ACL, was 172.16.0.0/24 supposed to be denied from the 1.1.1.0/24 network, or the 10.4.0.0/24 network like it did it.

Do i need to add the 1.1.1.0/24 network to the NAT 102 ACL?

Sorry, i am not really understanding how this is going to make this work. Its above what i currently understand.

Thanks

0 Helpful

jackko
Level 7
Level 7
In response to jeffdanderson

‎11-16-2005 09:16 PM

crypto isakmp client configuration group COMPANYvpn

key **********

dns 10.4.0.10

domain domain.com

pool ippool

acl 105

the command "acl 105" needs to be removed.

0 Helpful

hcr
Level 1
Level 1

‎11-17-2005 12:54 AM

Hi i did this yesterday and it works

access-l 160 permit ip 172.16.0.0 0.0.0.255 any

ip nat inside source list 160 interfaces0/0:0 overload

route-map foreinternet permit 10

match ip address 160

set interface Loopback1

interface Loopback1

ip address 10.1.1.1 255.255.255.252

ip nat inside

!

interface Serial0/0:0

ip nat outside

crypto map COMPANYmap

ip policy route-map foreinternet

crypto isakmp client configuration group COMPANYvpn

no acl 105

Try this, i got it working yesterday

Best regards Henrik

0 Helpful

jeffdanderson
Level 1
Level 1
In response to hcr

‎11-17-2005 12:46 PM

I have a question regarding the NAT statement. Is it possible to have 2 different NAT overload statements on the router? Or do i have to integrate this lookback network into my existing ACL which uses ACL 102.

I would like to just try this, but since is a production network, i cant start making changes till i get it right.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents