Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IPSEC VPN - problem with traffic

Hello,
I am trying to do the following:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml#vpn405

I get the VPN established, but cant access internet from my client.
I want to get my public IP on the remote client.

Thanks any help. Have been trying for many hours, failing - so might be some configruation missing og missplaced.

Altibox#sh run

Building configuration...

Current configuration : 4641 bytes

!

! Last configuration change at 11:38:13 UTC Tue Jan 21 2014 by xxxxx

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Altibox

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

enable secret 4 uL3ahII.qXcmuiG8zcrkZkgNezrXtDCZ.UPBVEbygK2

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userlist local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization network default local

aaa authorization network VPNGROUP local

!

!

aaa session-id common

!

!

ip dhcp excluded-address 10.0.0.1 10.0.0.15

!

ip dhcp pool LAN

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

domain-name xxxx

dns-server x.x.x.3 x.x.x.53

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

license udi pid C892FSP-K9 sn FCZ173992BG

!       

!

username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxx

username VPN password 0 vpn

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 3600

crypto isakmp client configuration address-pool local vpnpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group VPNGROUP

key xxxx

domain xxxx

pool vpnpool

acl 144

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

!

crypto map dynmap client authentication list userlist

crypto map dynmap isakmp authorization list VPNGROUP

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

interface Loopback0

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet9

description *** Outside ***

ip address dhcp

ip nat outside

ip virtual-reassembly in

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map dynmap

!

interface Vlan1

description *** LAN ***

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

ip directed-broadcast

no ip proxy-arp

ip nat inside

ip virtual-reassembly in max-reassemblies 64

!

ip local pool vpnpool 10.0.1.10 10.0.1.15

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source static tcp 10.0.0.200 80 interface GigabitEthernet9 80

ip nat inside source static tcp 10.0.0.5 8081 interface GigabitEthernet9 8081

ip nat inside source static tcp 10.0.0.5 8080 interface GigabitEthernet9 8080

ip nat inside source static udp 10.0.0.5 8080 interface GigabitEthernet9 8080

ip nat inside source static tcp 10.0.0.253 5002 interface GigabitEthernet9 5002

ip nat inside source static tcp 10.0.0.254 5001 interface GigabitEthernet9 5001

ip nat inside source static tcp 10.0.0.5 1554 interface GigabitEthernet9 1554

ip nat inside source static tcp 10.0.0.5 3389 interface GigabitEthernet9 3389

ip nat inside source static tcp 10.0.0.3 3000 interface GigabitEthernet9 3000

ip nat inside source static tcp 10.0.0.190 3389 interface GigabitEthernet9 4000

ip nat inside source static tcp 10.0.0.3 5000 interface GigabitEthernet9 5000

ip nat inside source static tcp 10.0.0.3 32400 interface GigabitEthernet9 32400

ip nat inside source list 101 interface GigabitEthernet9 overload

ip nat inside source list vpnpool interface GigabitEthernet9 overload

ip route 0.0.0.0 255.255.255.0 xxxxxxxxx

ip route 10.0.1.0 255.255.255.0 Vlan1

ip route 0.0.0.0 0.0.0.0 dhcp

!

!

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.0.1.2

!

access-list 101 permit ip any any

access-list 101 deny   ip any any

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

access-list 144 permit ip 10.0.1.0 0.0.0.255 any

!       

!

control-plane

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

logging synchronous

transport input all

!

scheduler allocate 20000 1000

!

end

2 REPLIES

Re: IPSEC VPN - problem with traffic

It's been a while but I don't believe the IPSec client allows split tunnel.

Sent from Cisco Technical Support iPad App

Re: IPSEC VPN - problem with traffic

Hello.

Are you trying to access Internet from Client via local (client's ) IP-address, or using NAT on the router?

If using local IP-address, could you please show trace from client to any Internet resource?

You configuration says, that interesting traffic is ACL 144. It's used to build "static" routes on the client.

So, you need to extend the ACL.

But I see you are using the same ACL for PBR on outside interface... not sure why do you need this.

At the same time I'm not sure if your current NAT configuration will be able to receive traffic on G9 (encrypted from client) and NAT into the same interface.

So, to achieve you goal I would suggest to reconfigure EzVPN with DVTI.

PS: why do you route 10.0.1.0/24 over VL1?

PS2: I see no ACL applied on G9 - have you omitted it only here, or just missed?

134
Views
0
Helpful
2
Replies
CreatePlease to create content