WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!
LAN to LAN VPN with internet access?
I have a LAN to LAN VPN set up between a cisco 837 router and 3005 concentrator. The connection is set up to enable a remote cisco 7960 hardphone to register with our CCM server. The problem I have is that the remote user can no longer acces the internet as everything is now sent down the tunnel. He was using a cicso softphone with a pc based vpn client and split tunnelling. This worked fine but I can't figure out how to do something similar on a LAN to LAN setup which I believe we need so he can use the hardphone. Is this even possible and if so can anyone tell what I need to configure to do it because it's got me stumped?
Who is Participating?
Check the 837 config has an access list permitting the internal network access to the outside.
This link may help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml
If not, could you post up the 837 config ?
This link may help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml
If not, could you post up the 837 config ?
It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
You might have something like
access-list 101 permit ip any <remote lan> mask
Where you should have
access-list 101 permit ip <local lan> mask <remote lan> mask
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
You might have something like
access-list 101 permit ip any <remote lan> mask
Where you should have
access-list 101 permit ip <local lan> mask <remote lan> mask
Hi All
The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?
Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ***.***.19.20
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-
ip address 10.1.4.254 255.255.255.0
ip helper-address 10.1.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ***.***.237.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **********
ppp chap password 0 ********
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password *****
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?
Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ***.***.19.20
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-
ip address 10.1.4.254 255.255.255.0
ip helper-address 10.1.1.10
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ***.***.237.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **********
ppp chap password 0 ********
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password *****
login
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month8 days, 18 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
You're missing the NAT configuratins.
interface Eth0
ip nat inside
interface Dialer0
ip nat outside
ip nat inside source route-map nonat interface Dialer0 overload
access-list 105 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 105 permit ip 10.1.4.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 105