Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

EasyVPN and split tunneling 1

Status
Not open for further replies.

greenemk

Technical User
Aug 16, 2006
16
US
Before any starts in on me, I've been searching this forum and trying numerous fixes for my problem, but its still not working. I have a 871 that is setup as an Easy VPN server. Clients are able to connect, but I can't reach any machines on the local lan. I tried the split tunneling acl and the allow-local-lan command on the isakmp client config, but no luck. The vpn clients and the local lan clients are in two different subnets with only the lan clients being natted. Any idea?


Building configuration...

Current configuration : 7142 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WAN_GW
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2569158632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2569158632
revocation-check none
rsakeypair TP-self-signed-2569158632
!
!
crypto pki certificate chain TP-self-signed-2569158632
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353639 31353836 3332301E 170D3130 30333130 31373534
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363931
35383633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFFF DFB06F21 9005796E 65C5573D A42BF61D EB4958E7 D0A993C9 30627ADC
14728BC3 6DBD2955 44197289 A28C96B1 9A205C9E 331FBF87 2C2A8D21 7852BE4D
77CB7846 9BA40774 B060CB2E 8DD39D97 635DE36E 5ADDDDCB 5EB721CE 11F49E34
2A8320E6 8843A561 BBB4EEA4 782B86BB 4FDD22A3 EF190EDC A5727A0D 838FC3E1
80170203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 0657414E 5F475730 1F060355 1D230418 30168014 8C38C012
6AF60385 0646106E 9FC5162F 991875FD 301D0603 551D0E04 1604148C 38C0126A
F6038506 46106E9F C5162F99 1875FD30 0D06092A 864886F7 0D010104 05000381
81006883 BCE63968 33B062F2 A3983D39 1099FCBD 84DB8A2A FAD41793 791AD543
46B5F358 C4E2CE70 6873370D 8373F3F0 01C69D5B 939C80D2 835F5830 7F8BC46E
0606FA9D 84BED89D 376EA110 568B7D5C 0317F059 B64E6EAB 19485384 E8ECDD35
EE620FC1 607D3DBB 5224B4F4 7D6E527B 86974765 FB3A0918 43627DB9 F23D1566 1D2F
quit
dot11 syslog
no ip source-route
!
!
ip nbar port-map custom-01 tcp 5001
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LAN
utilization mark high 10 log
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip cef
no ip bootp server
ip name-server 208.67.222.222
ip name-server 208.67.220.220
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
!
username mg privilege 15 secret 5 <removed>
!
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group iPhone3G
key XXXXXXXX
dns 208.67.222.222 208.67.220.220
pool REMOTE
acl 103
save-password
netmask 255.255.255.0
banner ^CWelcome Home MG!!! ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group iPhone3G
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set iPhone4 esp-aes esp-md5-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set iPhone4
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile Remote
set transform-set iPhone4
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
class-map match-any Media_Stream
match protocol custom-01
class-map match-any WEB
match protocol http
match protocol dns
class-map match-any Skype
match protocol skype
!
!
policy-map CCP-QoS-Policy-1
class Skype
bandwidth percent 50
class Media_Stream
bandwidth percent 20
class WEB
bandwidth percent 20
class class-default
fair-queue
random-detect
policy-map CCP-QoS-Policy-2
class class-default
shape average 1800000
service-policy CCP-QoS-Policy-1
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group outside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool REMOTE 10.0.0.1 10.0.0.10
ip forward-protocol nd
ip http server
ip http access-class 2
ip http secure-server
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 5001 interface FastEthernet4 5001
ip nat inside source static tcp 192.168.1.145 5223 interface FastEthernet4 5223
ip nat inside source static udp 192.168.1.145 3479 interface FastEthernet4 3479
ip nat inside source static udp 192.168.1.145 3658 interface FastEthernet4 3658
ip nat inside source static udp 192.168.1.145 3478 interface FastEthernet4 3478
!
ip access-list standard internal_net
permit 192.168.1.0 0.0.0.255
!
ip access-list extended outside
permit tcp any any eq 1723
permit udp any any eq ntp
permit tcp any any established
permit gre any any
permit udp any eq 3074 any
permit tcp any eq 3074 any
permit udp any any eq 3074
permit tcp any any eq 5001
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any eq domain any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any log
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 101 permit ip any any
access-list 103 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
no cdp run

!
!
!
!
!
control-plane
!
banner login ^CCCTHIS IS MY SHIT...ACCESS IS DENIED!!!!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class internal_net in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 131.107.1.10
end

CCNA, CCNP, Sec+
 
try this:
Code:
ip access-list extended nat_acl
 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

route-map rmap_nat
 match ip address nat_acl

no ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source route-map rmap_nat int f4 overload

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Thanks unclerico, that worked like a champ. I have two questions though. Any benifit using a route-map vice a regular ACL? I assume that the vpn client configuration was correct with acl 103 allowing lan traffic back through the tunnel, but the return traffic was getting natted by not denying vpn subnet in acl 1?

CCNA, CCNP, Sec+
 
Any benifit using a route-map vice a regular ACL?
not that i know of. it's just how i always configure it. you could have just added the deny ACE to your existing ACL and it would have worked fine
I assume that the vpn client configuration was correct with acl 103 allowing lan traffic back through the tunnel, but the return traffic was getting natted by not denying vpn subnet in acl 1?
you got it

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
oh and btw, LOOOVE your banner
banner login ^CCCTHIS IS MY SHIT...ACCESS IS DENIED!!!!^C!
if only we could have a .wav file play and have the router/switch/firewall speak to the user...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Any idea how to setup a vpn between to dynamic (ip) endpoints? Thought about using DMVPN, but from reading, the hub has to be static.

CCNA, CCNP, Sec+
 
i've always had at lest one of the endpoints as a static, but i don't see any reason why you couldn't subscribe to something like dyndns and specify host names instead of ip addresses in your tunnel or crypto map config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top