Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN - NAT and Mobile Devices

This probably stretches over a couple of different categories, but I would like to present a general overview of my setup and see if anyone has any ideas.

We are setting up wireless access points on school busses in our district.  We are using Cradlepoint MBR1200s as access points with Verizon express cards for internet access.  We have configured an IPSEC VPN on our ASA 5520 and have successfully created a peer to peer connection from the Cradlepoint.  The Cradlepoint is set up now to push all network traffic through the VPN tunnel.  I've done this because we want students to have access to local network resources in addition to internet resources and they need to be filtered (CIPA regulations).  I can't enable filtering on the Cradlepoint and still use my local DNS servers for the local traffic, so I have created this setup to force all traffic to the VPN and subsequently through our content filter.

So to summarize how this all goes:

From a laptop I connect to the Cradlepoint via wireless.  The laptop gets an ip address (172.16.x.x) from the Cradlepoint.  Internet traffic is sent through the VPN.

When traffic arrives at the ASA on the VPN it is forwarded to a separate router:

route Inside 0.0.0.0 0.0.0.0 10.2.0.113 tunneled

This router translates 172.16.x.x to one of a pool of 10.15.x.x addresses:

ip nat log translations syslog

ip nat translation timeout 600

ip nat translation dns-timeout 30

ip nat pool isd31vpn 10.15.0.2 10.15.100.254 netmask 255.255.0.0

ip nat inside source list 1 pool isd31vpn

!

access-list 1 deny   172.16.49.1

access-list 1 deny   172.16.40.1

access-list 1 deny   172.16.1.1

access-list 1 deny   172.16.2.1

access-list 1 permit 172.16.0.0 0.0.255.255

The traffic then defaults to our ASA where the 10.15.x.x addresses are then NAT'ed to a globally routable address.  The first NAT process is to force the traffic to the local network so that internet traffic from the tunnel is pushed through our content filter.

The relevant parts of the ASA config:

route Inside 0.0.0.0 0.0.0.0 10.2.0.113 tunneled

access-list NONAT extended permit ip any 172.16.0.0 255.255.0.0

nat (Inside) 0 access-list NONAT

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnterm_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map vpnterm_map 20 ipsec-isakmp dynamic vpnterm_dyn_map

crypto map vpnterm_map interface Outside

crypto isakmp identity address

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

Then there is a NAT configuration that translates all 10.x.x.x addresses to a globally routable ip.

This entire setup works perfectly when I connect a Mac Laptop, Dell laptop running XP and an iPhone to the Cradlepoint via wireless.  I get internet access and can see all of the traffic on the router and ASA at my end.  It's fantastic.  However, I have a Dell tablet PC running Win7 that can connect fine to the Cradlepoint, grab an ip address, but gets nothing to my local network.  I try to browse to Google and see no corresponding traffic for that device.  I also tried a Blackberry phone.  It also connects to the Cradlepoint fine and gets a valid ip address, and I even see a NAT translation on the first router at my end, but that seems to be where the connection dies.

So I guess I am wondering if anyone has any ideas why this would work fine from some devices and fail on others?

1486
Views
0
Helpful
0
Replies