Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Split Tunneling

Hi there,

I would appreciate if someone can help me to solve this problem: I'm trying to configure a VPN with Split Tunneling to access a servers' LAN. I've just configure the VPN server in a router with IOS and I'm trying to connect with a VPN Client of CISCO.

I can connect with the router VPN without problem (ping is working) but I'm not able to reach the server behind.

The topology is:

                                                                 ______________

                                ------192.168.235.0/26--|                       |---- 192.168.2.150/30----

----LAN SERVER------|                                  |  ROUTER       |                                 |------WAN

                                ------ 192.168.9.65/26---|_____________|---- 192.168.9.1/26-------

                                         (secondary address)                      (secondary address)

I can reach the IPs on the router's after setting up the VPN without problems.

The configuration is the interfaces and the NAT is:

interface GigabitEthernet0/0

description LAN

ip address 192.168.235.1 255.255.255.192 secondary

ip address 192.168.9.65 255.255.255.192

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex full

speed 100

no cdp enable

!

!

interface GigabitEthernet0/1

description WAN sw01.mad2 Fa9/42

ip address 192.168.9.1 255.255.255.192 secondary

ip address 192.168.2.150 255.255.255.252

ip access-group 110 in

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex full

speed 100

no cdp enable

crypto map dynmap

ip nat inside source static 192.168.235.2 192.168.9.2

ip nat inside source static 192.168.235.3 192.168.9.3

ip nat inside source static 192.168.235.4 192.168.9.4

.....

ip nat inside source static 192.168.235.61 192.168.9.61

ip nat inside source static 192.168.235.62 192.168.9.62

ip route 0.0.0.0 0.0.0.0 192.168.2.149


And the configuration for the VPN is: (I can connect to the router without problem so I think the problem is in part of NAT)

aaa authentication login vpn-login local
aaa authorization network g-groupname local

!

username user password user1.

!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
crypto isakmp xauth timeout 60
crypto isakmp client configuration group g-groupname
key xxxxxxxx
dns x.x.x.x

pool dynpool
acl 150

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list vpn-login
crypto map dynmap isakmp authorization list g-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!

ip local pool dynpool 192.168.235.128 192.168.235.132

!
access-list 150 remark VPN
access-list 150 permit ip 192.168.235.0 0.0.0.255 any
access-list 150 permit ip 192.168.9.0 0.0.0.127 any
access-list 150 permit ip 192.168.2.150 0.0.0.3 any

How I've just said, I think the problem could be in the NAT but I don't know where...

I would appreciate any help.

Thanks in advance,

Everyone's tags (1)
5 REPLIES
New Member

Re: VPN Split Tunneling

Is the "LAN SERVER" a different address range than either of the two that you have on your inside interface?

"Split tunneling" would mean you want to reach only certain networks through the VPN, but allow

the client to reach the  rest of the Internet unencrypted.  It is just a modification of a basic setup.

It looks like the basic setup is where the problem lies:

Your pool is handing out addresses which are not inside the inside interface range.  Normally

you would give out addresses on 192.168.236.0/26 to your VPN clients (or the secondary block)

and allow proxy arp to help layer 2 devices find them.

Your addresses are in 192.168.236.128/26(+).  This would require a router to have a block route

to the VPN's inside interface, or to do dynamic route injection into a protocol.  Also you'll

need routes on the VPN to the "LAN SERVER block" not just a default route, and depending on the

platform you may need access-lists to punch holes through default security.

Unless the VPN is also the default router (???) in which case routing should be OK as long as you

are sure the traffic to 192.168.236.128/26(+) is not being routed to NULL0 somewhere then I would

look at access lists first.

New Member

Re: VPN Split Tunneling

Hello,

I've change the configuration. Now, VPN's user receive an IP from the interface range:

    ip local pool dynpool 192.168.235.61 192.168.235.62

And I delete this to entries in NAT configuration:

no ip nat inside source static 192.168.235.62 213.190.9.62
  no ip nat inside source static 192.168.235.61 213.190.9.61

Also, I've modified the list of network allow using the VPN Split Tunneling to:

  access-list 150 remark VPN
  access-list 150 permit ip 192.168.235.0 0.0.0.63 any

But, it doesn't work..

The routes are:

#sh ip route 192.168.235.62
Routing entry for 192.168.235.62/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * x.x.x.x, via GigabitEthernet0/1
      Route metric is 0, traffic share count is 1

It looks ok to me..

I believe that the problem is the NAT configuration, maybe I should make and exception in this translation:

ip nat inside source static 192.168.235.2 213.190.9.2
ip nat inside source static 192.168.235.3 213.190.9.3

..

What do you think?

Regarding to your question, I apologize but I don't understand what do you mean:

"Is the "LAN SERVER" a different address range than either of the two that you have on your inside interface?"

Many thanks,

El mensaje fue editado por: Ramon_Pelaez

New Member

Re: VPN Split Tunneling

Hi,

After the changes I did before, I realize that the acl with list of network allow using the VPN Split Tunneling was ok, so I've deleted my changes and finally the acl is:

access-list 150 remark VPN
access-list 150 permit ip 192.168.235.0 0.0.0.255 any
access-list 150 permit ip 213.190.9.0 0.0.0.127 any
access-list 150 permit ip 213.190.2.150 0.0.0.3 any

Also, I've checked that pool can be in a different address block, so I've changed to:

ip local pool dynpool 192.168.10.128 192.168.10.132

In the tests I did, I can do pings from the router to my computer (with the VPN session):


>tracert 192.168.235.1


Traza a 192.168.235.1 sobre caminos de 30 saltos como máximo.

  1      57 ms     51 ms     59 ms  192.168.235.1

Trace complete.

And I can do ping from the router to the servers:


#traceroute 192.168.235.3

Type escape sequence to abort.
Tracing the route to 192.168.235.3


  1  192.168.235.3 0 msec 0 msec 0 msec


But when I try to do ping from my computer to the servers, I can't reached:
>tracert 192.168.235.3


Traza a 192.168.235.3 sobre caminos de 30 saltos como máximo.


  1        57 ms     51 ms     59 ms  192.168.2.150
  2        *     *     *
  3        *  ^C


I tried few configurations but I can't solve this problem...

Maybe it's a problem with the routing, but how can I solved?

b.julin, you said:
"Your addresses are in 192.168.236.128/26(+).  This would require a router to  have a block route

to the VPN's inside interface, or to do dynamic route injection into a  protocol.  Also you'll

need routes on the VPN to the "LAN SERVER block" not just a default route,  and depending on the

platform you may need access-lists to punch holes through default security."


But I don't know how, because how I explained before I checked the routes and it looks ok for me, should i write a new static route?

I've also realized that when I ping my computer from the router a new ARP entrance turned up, is it normal?

#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  my_public_IP             0   Incomplete      ARPA
Internet  192.168.235.1           -   68ef.bd13.0e98  ARPA   GigabitEthernet0/0
...

Many thanks,

New Member

Re: VPN Split Tunneling


I assume your computer is in the 192.168.10.X pool?

Try adding the 192.168.10.X addresses to the ACL.  I don't know how that works exactly on a router as opposed to an ASA, but on ASA you either have to do that, or use "sysopt connection permit-vpn" (probably not available on the router).

Also you need to ensure the crypto-map is either an undefined (no match address statement) dynamic map, or is classifying traffic from the pool to the 135 network as tunnelled.

New Member

Re: VPN Split Tunneling

Regarding your questions,

I assume your computer is in the 192.168.10.X pool?

Yes, it is.

Try adding the 192.168.10.X addresses to the ACL.  I don't know how that works exactly on a router as opposed to an ASA, but on ASA you either have to do that, or use "sysopt connection permit-vpn" (probably not available on the router).

I tried this before but it haven't worked.

Also you need to ensure the crypto-map is either an undefined (no match address statement) dynamic map, or is classifying traffic from the pool to the 135 network as tunnelled.

I assume it is correct but I copy here again in case you see something is wrong:

crypto isakmp client configuration group g-groupname
key xxxxxxxxxxx
dns x.x.x.x
pool dynpool
acl 150
!

crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list vpn-login
crypto map dynmap isakmp authorization list g-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
ip local pool dynpool 192.168.10.128 192.168.10.132

!

interface GigabitEthernet0/1
crypto map dynmap

Thanks again,

1223
Views
3
Helpful
5
Replies
CreatePlease to create content