 Reviews:
·Optimum Online
| Forcing all traffic via VPN for remote clientsSo this is what I'm curious about doing....
I'd like to setup my 1841 so that whenever I make a VPN connection to it using Cisco VPN client, all my traffic is sent to the 1841 and then out to the Internet.
Right now I'm only able to get the "interesting" traffic through the tunnel, but when trying to access the Internet, it times out.
I tried having the ACL for the VPN pool point to the virtual interface 10.16.12.0/24 for all outbound traffic, and adding 10.16.12.0/24 to the NAT ACL but that doesn't seem to work. It doesn't even try to hit the interface, it simply keeps hitting the 10.17.12.0/24.
Is this possible?
TIA
Building configuration...
Current configuration : 3396 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login homenet_user_auth local
aaa authorization network homenet_group_auth local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name homenet.local
!
!
!
username xxx password 7 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnaccess
key xxx
dns 10.17.12.2
domain homenet.local
pool vpnpool
acl 110
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map vpnrasin client authentication list homenet_user_auth
crypto map vpnrasin isakmp authorization list homenet_group_auth
crypto map vpnrasin client configuration address respond
crypto map vpnrasin 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.16.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnrasin
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool vpnpool 10.18.12.25 10.18.12.30
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.2 993 interface FastEthernet0/1 993
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
!
access-list 100 permit ip 10.16.12.0 0.0.0.255 10.18.12.24 0.0.0.7
access-list 100 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 101 permit tcp host 143.104.xxx.xxx any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 deny ip any any
access-list 110 permit ip 10.18.12.24 0.0.0.7 10.16.12.0 0.0.0.255
access-list 110 permit ip any 10.18.12.24 0.0.0.7
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
end
router#
|
|
|
|
 | said by Network Guy:I'd like to setup my 1841 so that whenever I make a VPN connection to it using Cisco VPN client, all my traffic is sent to the 1841 and then out to the Internet. IIRC, your config currently is setup to split tunnel the traffic -- see this page in Cisco's own hands that specifes you need an ACL for traffic that should not go thru the tunnel.
If you don't want to split tunnel, you just have to remove the ACL 110 reference from your group vpnaccess... unless I'm completely out to lunch about what you're trying to do...
Regards |
|
 Reviews:
·Optimum Online
| Hi
Just tried your suggestion, still doesn't work. :(
Basically, if/when I'm out on the road... Say lodging at a hotel with wifi access... I don't want to... for example... open my bank account at Chase via hotel wifi.. I want to use the hotel's wifi to connect to my 1841, and through my 1841 via VPN open my bank account at Chase...
So ideally I want this...
Laptop > Hotel wifi > VPN to my 1841 > out to anywhere in the intrawebnets
Building configuration...
Current configuration : 3320 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login homenet_user_auth local
aaa authorization network homenet_group_auth local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name homenet.local
!
!
!
username ocintron password 7 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnaccess
key xxx
dns 10.17.12.2
domain homenet.local
pool vpnpool
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map vpnrasin client authentication list homenet_user_auth
crypto map vpnrasin isakmp authorization list homenet_group_auth
crypto map vpnrasin client configuration address respond
crypto map vpnrasin 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.16.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnrasin
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool vpnpool 10.18.12.25 10.18.12.30
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.2 993 interface FastEthernet0/1 993
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
!
access-list 100 permit ip 10.16.12.0 0.0.0.255 10.18.12.24 0.0.0.7
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 101 permit tcp host 143.104.198.185 any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 deny ip any any
access-list 110 permit ip 10.18.12.24 0.0.0.7 10.16.12.0 0.0.0.255
access-list 110 permit ip any 10.18.12.24 0.0.0.7
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
end
router#
|
|
 RyanG1Premium join:2002-02-10 San Antonio, TX | reply to Network Guy your nat source ACL does not allow for the IP range of your VPN clients... in addition if you want to have access to your internal devices you may want to put a deny rule at the top to stop client vpn to inside host traffic from getting nat'ed.
Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
 Reviews:
·Optimum Online
| Alright, here's what I did..
Now I can't access inside hosts or the Internet via VPN.
:(
router#sh run
Building configuration...
Current configuration : 3299 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login homenet_user_auth local
aaa authorization network homenet_group_auth local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name homenet.local
!
!
!
username ocintron password 7 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnaccess
key xxx
dns 10.17.12.2
domain homenet.local
pool vpnpool
acl 110
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map vpnrasin client authentication list homenet_user_auth
crypto map vpnrasin isakmp authorization list homenet_group_auth
crypto map vpnrasin client configuration address respond
crypto map vpnrasin 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.18.12.25 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnrasin
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool vpnpool 10.18.12.26 10.18.12.30
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.2 993 interface FastEthernet0/1 993
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
!
access-list 100 deny ip 10.18.12.24 0.0.0.7 10.17.12.0 0.0.0.255
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 100 permit ip 10.18.12.24 0.0.0.7 any
access-list 101 permit tcp host 143.xxx.xxx.xxx any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 deny ip any any
access-list 110 permit ip any any
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
end
router#
|
|
 RyanG1Premium join:2002-02-10 San Antonio, TX | reply to Network Guy you need to take the acl off the crypto client policy, if theres no acl defined, a default route is installed. the vpn client will not interpret the permit ip any any command as a default route.
Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
 Reviews:
·Optimum Online
2 edits | Alright, did what you suggested but the VPN pool still can't connect to the Internet. The only connectivity I've achieved is as follows:
10.18.12.24/29 can ping 10.17.12.0/24 and vice versa 10.18.12.24/29 can ping all router inside interfaces as well as the outside interface
Any destination beyond the router's outside interface is stopped dead on its tracks.
What gives?
Here's what the config looks like now:
Building configuration...
Current configuration : 3206 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login homenet_user_auth local
aaa authorization network homenet_group_auth local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name homenet.local
!
!
!
username ocintron password 7 xxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnaccess
key xxx
dns 10.17.12.2
domain homenet.local
pool vpnpool
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set tset1
reverse-route
!
!
crypto map vpnrasin client authentication list homenet_user_auth
crypto map vpnrasin isakmp authorization list homenet_group_auth
crypto map vpnrasin client configuration address respond
crypto map vpnrasin 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.18.12.25 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnrasin
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool vpnpool 10.18.12.26 10.18.12.30
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.17.12.2 21 interface FastEthernet0/1 21
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 993 interface FastEthernet0/1 993
!
access-list 100 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
access-list 100 deny ip 10.18.12.24 0.0.0.7 10.18.12.24 0.0.0.7
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 100 permit ip 10.18.12.24 0.0.0.7 any
access-list 101 permit tcp host 143.104.xxx.xxx any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 deny ip any any
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
end
|
|
 RyanG1Premium join:2002-02-10 San Antonio, TX | i looked at how i did mine, but im using an EZ VPN setup using virtual templates.
Ryan |
|
 | You took the easy way out... Booooooooo!!!!!

I haven't even enabled SDM on my 1841. I refuse to start cozying up to it now knowing I still have a lot to learn. |
|
 RyanG1Premium join:2002-02-10 San Antonio, TX | reply to Network Guy well i didnt use SDM, i did it from the CLI and im using this so that it uses a tunnel interface that can be assigned a ZBFW policy as well as a routing protocol (ospf) that runs over the tunnel.
Just because it says "EZ" in the name doesnt imply that its the easy way out. This method actually has more configuration then a standard IPSEC tunnel without the actual tunnel interface. You just have to choose what works for you given the scenario it will be used in =)
Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
 nosx join:2004-12-27 00000 kudos:5 | I know its a little late to chime in but I have done this a couple different ways because of the limitations with traditional ipsec vpn config. 1) Use a front-door/back-door VRF for IPSEC connections. This will hairpin the traffic around and provide the required split default route for inside and outside you need. 2) Move the IPSEC VPN concentrator router behind the edge NAT device. With one routing table and one default route the behavior will work as required. 3) Use SSLVPN like the rest of the world and avoid the IPSEC routing problems. |
|