cisco ipsec lan-to-lan VPN & cisco VPN client routing problem 1

[petrhofmann]

Hello,

I am really stuck with configuring ipsec site-to-site vpn (hub to spoke, multiple spokes) with cisco vpn client remote access to this vpn.

The problem is with remote acces - cisco vpn client acces - I can communicate with hub lan - but I need also communication to all spoke lans from the cisco

vpn client.

On the spokes there is no cisco hardware used - there are DLINK routers.

Somebody told me, it is possible to use NAT for translating remote access clients to HUB-lan-IP and so allow communication - but I am unable to configure it

and get it working.

Can somebody help me please ?

Thank you

Peter






SPOKES - not cisco devices / another vendor
HUB cisco 1841 hsec:


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key x address xx no-xauth
!
crypto isakmp client configuration group x
key x
pool vpnclientpool
acl 190
include-local-lan
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 1cisco
!
crypto map ETH0 client authentication list userauthen
crypto map ETH0 isakmp authorization list groupauthor
crypto map ETH0 client configuration address respond
crypto map ETH0 1 ipsec-isakmp
set peer x
set transform-set 1cisco
set pfs group2
match address 180
crypto map ETH0 10 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0/1
description $ES_WAN$
crypto map ETH0
!
ip local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
ip nat inside source list LOCAL interface FastEthernet0/1 overload
!
ip access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 any
!
access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!

 

[unclerico]

you need to ensure that traffic from the spokes is denied in the NAT process

ip access-list extended LOCAL 
 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
 [b]deny ip <spoke1_network> 0.0.0.255 192.168.200.0 0.0.0.255
 deny ip <spoke2_network> 0.0.0.255 192.168.200.0 0.0.0.255[/b]
 permit ip 192.168.7.0 0.0.0.255 any

also, alter ACL 190 to include the spoke networks

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[petrhofmann]

Hello, thank you for you help. I have altered the ACLs:

ip access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 local lan – remote lan A
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client
deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 vpn client – remote lan A
permit ip 192.168.7.0 0.0.0.255 any

access-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 local lan – vpn client
access-list 190 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 remote lan A – vpn client

access-list 180 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255 local lan – remote lan A
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 vpn client – remote lan A


But I cannot reach the remote lan A from the cisco vpn clients.

The remote lan routers are not cisco devices - they are low end DLINK VPN routers with web gui. I cannot configure the reverse ACL on them. I think thats the problem.

Is it somehow possible to use NAT to translate remote acces vpn clients to local lan IP and so reach the remote lan A ?


Thank you

 

[unclerico]

how did you setup the vpn on the spoke devices to begin with?? there must be an area where you define the interesting traffic??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[petrhofmann]

Hello,

I finally solved the problem - it was exactly on the spoke devices - where was the interesting traffic defined.

Thank you for you help ...