Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Public Internet on a Stick - Can't access remote or local LAN

Hi,

I've used the following link to configure VPN access and have internet routed via the terminating router.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

My issue is when connected to the VPN i can't access the remote LAN or my local LAN. Is it possible to access the remote and local LAN with this setup?

The strange thing is that I can actually access my router using the bvi1 address but when I trace to my server address .250 it tries to go straight out the internet.

Pretty much I’d love to be able to RDP to my home server (172.16.1.250) from works network (192.168.14.0 /24) yet still be able to access work resources and have all my internet traffic routed and encrypted by my home router.

I've attached the relevant config.

Any help would be much appreciated.

Cheers.

ip nbar custom CiscoVPN udp 4500
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.100 172.16.1.110
ip dhcp excluded-address 172.16.1.250
ip dhcp excluded-address 172.16.1.254
!
ip dhcp pool LAN
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.254
   dns-server x
   domain-name x
   lease 2
!
!
ip cef
ip domain lookup source-interface Dialer1
ip domain name x
ip name-server x
ip inspect tcp reassembly queue length 500
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW ddns-v3
ip inspect name FW ntp
ip inspect name FW dns
ip inspect name FW http
ip inspect name FW sip
ip inspect name FW smtp
ip inspect name FW tftp
ip inspect name FW ftp
ip inspect name FW icmp
ip inspect name FW h323
ip inspect name FW rtsp
ip ddns update method DynDNS
HTTP
  add
http://x.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
interval minimum 0 0 30 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
vpdn session-limit 1
!
vpdn-group TEST
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key x
dns x1
domain x
pool CiscoVPN
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
class-map match-any VoIP_Traffic
match ip dscp ef
match protocol sip
match protocol skype
match protocol h323
match protocol rtp
match access-group name iPhone
class-map match-any VoIP_OUT
match class-map VoIP_Traffic
class-map match-any VoIP_IN
match class-map VoIP_Traffic
!
!
bridge irb
!
!
interface Loopback0
description *** VPN User ***
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface ATM0
description *** Internet Network ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl enable-training-log
!
interface ATM0.835 point-to-point
description *** DSL Internet ***
ip virtual-reassembly
pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
description *** PS3 ***
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1
description *** VoIP ***
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet2
description *** NAS/Spare ***
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet3
description *** SERVER ***
duplex full
speed 100
spanning-tree portfast
!
interface Virtual-Template1
description *** PPTP VPN Access Interface ***
ip unnumbered BVI1
peer default ip address pool VPN_Pool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 callin
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption mode ciphers aes-ccm tkip
!
broadcast-key change 60
!
!
ssid x
!
no short-slot-time
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2412
station-role root
world-mode dot11d country AU outdoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description *** Bridging VLAN ***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
hold-queue 100 out
!
interface Dialer1
description *** iiNet ADSL2+ PPPoA ***
bandwidth 9000
ip ddns update hostname x
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip access-group FW_INBOUND in
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect FW out
ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
ip tcp adjust-mss 1452
ip policy route-map VPN-Client
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username x password x
crypto map clientmap
!
interface BVI1
description *** Casa LAN (Bridging Interface for Ethernet and Wireless) ***
ip address 172.16.1.254 255.255.255.0
ip directed-broadcast 12
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool VPN_Pool 172.16.1.100 172.16.1.105
ip local pool CiscoVPN 10.1.1.1 10.1.1.2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
!
ip nat inside source list HTTP_Traffic interface Dialer1 overload
ip nat inside source static udp 172.16.1.250 6661 interface Dialer1 6661
ip nat inside source static tcp 172.16.1.250 6661 interface Dialer1 6661
ip nat inside source static tcp 172.16.1.250 3389 interface Dialer1 3389
ip nat inside source static udp 172.16.1.255 9 interface Dialer1 9
!
ip access-list extended FW_INBOUND
remark *** SIP Ports ***
permit udp host 203.55.231.194 eq 5060 any range 0 65535
permit udp host 203.55.231.194 range 35000 44999 any range 0 65535
remark *** DynDNS.org ***
permit tcp host x any
remark *** iiNet DNS & NTP ***
permit ip host 203.0.178.191 any
remark *** WOL URL ***
permit udp host 82.110.108.30 any eq discard
deny   icmp any any fragments
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
deny   icmp any any
deny   ip any any log
ip access-list extended HTTP_Traffic
deny   ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
!
access-list 12 remark *** ACL to control source of directed-broadcasts ***
access-list 12 permit 82.110.108.30
access-list 22 permit 10.1.1.1
access-list 22 remark *** Telnet & SSH Access ***
access-list 22 permit x
access-list 22 permit x
access-list 22 permit 172.16.0.0 0.0.255.255
access-list 22 deny   any log
access-list 144 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
arp 172.16.1.250 x ARPA
!
!
!
!
route-map VPN-Client permit 10
description *** Cisco VPN PBR to trombone Internet ***
match ip address 144
set ip next-hop 1.1.1.2
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
        *****************************  ECODE G3023 *********************************
        *                                                                          *
        *  Access by authorized personnel only. If you are not an authorized R&R   *
        *                    staff member, then ! DISCONNECT NOW !                 *
        *                                                                          *
        *     Legal penalties for illegal access/modification/deletion of data     *
        *           carry sentences of up to 10 years imprisonment.                *
        *                                                                          *
        ****************************************************************************
^C
alias exec speed show dsl int atm 0 | inc Speed
alias exec class sho run | b class-map
alias exec policy sho run | b policy-map
alias exec acl sho run | b access-list
alias exec traffic sho ip nbar protocol-discovery stats bit-rate top-n 10
!
line con 0
exec-timeout 0 0
no modem enable
transport preferred none
line aux 0
no exec
line vty 0 4
access-class 22 in
exec-timeout 20 0
privilege level 15
login authentication userauthen
transport input x
!
scheduler max-task-time 5000
ntp logging
ntp server x prefer
end

8 REPLIES
Silver

Re: Public Internet on a Stick - Can't access remote or local LA

If I understand correctly you'd like a 'split tunnel'  Give this a try:



access-list 10 remark *** Split Tunnel ***
access-list 10 permit 172.16.1.0 0.0.0.255

crypto isakmp client configuration group vpnclient
acl 10
exit


Chris

New Member

Re: Public Internet on a Stick - Can't access remote or local LA

Hi Chris thanks for the reply.

I actually tried that before, but with an extended ACL. No go.

For some reason i can't even ping the router interface .254 when this ACL is applied.

Any other thoughts?

New Member

Re: Public Internet on a Stick - Can't access remote or local LA

This is fine but is there any one can say me how i can stop this issue permantly.

New Member

Re: Public Internet on a Stick - Can't access remote or local LA

BUMP

Any other thoughts ladies and gents?

Silver

Re: Public Internet on a Stick - Can't access remote or local LA

Don't use an extended ACL.  The split-tunnel feature utilizes a standard ACL.



Chris

New Member

Re: Public Internet on a Stick - Can't access remote or local LA

Hi Chris,

are you sure? i just tired applying a standard ACL and it doesn't let me.

(config)#crypto isakmp client configuration group vpnclient
(config-isakmp-group)#acl 10
%Invalid access list name 10

(config-isakmp-group)#acl ?
  <100-199>  access-list number for split-tunneling
  WORD       Access-list name

looks like only extended ACL's work. I've applied the follwoing:

ip access-list extended SplitTunnel

permit ip 172.16.1.0 0.0.0.255 any
deny   ip any any log

But now my internet is being router through works internet link and i can't even ping .254 which i was able to do without the ACL applied. Logic says if I can get to 172.16.1.254 I should be able to get to .250. Why can't I!!!!!

Here's a capture of the VPN client stats

Cheers,

James

Silver

Re: Public Internet on a Stick - Can't access remote or local LA

Sorry James, I stand corrected!  You are correct, it's an extended ACL.



Chris

New Member

Re: Public Internet on a Stick - Can't access remote or local LA

Hi Christopher,

Please can u expalin me by PM about ACL.

488
Views
0
Helpful
8
Replies
CreatePlease to create content