troubleshooting Question

Cisco VPN working, but needs internet access and hairpinning

Avatar of cmsJustin
cmsJustin asked on
VPNInternet Protocol SecurityCisco
6 Comments1 Solution2306 ViewsLast Modified:
I've been working on setting up a VPN for the laptop users at our company. The VPN works, except for 2 things:

1) Users need to be able to access the internet. I don't want to enable split-tunneling; I want them to access the internet from our connection, not their own.

2) We have a network set up for our conference rooms (Ethernet0/2, dmz, 10.10.10.0/24). I'd like users to be able to VPN back into our "inside" network from this subnet.

I've been searching the internet for a few days and also picking the brain of a Cisco guy at one of our consulting firms, but can't come up with anything. Anyone have a working config of this that they can share?
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address [hidden]
 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.248.0
 
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.10.10.1 255.255.255.0
 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.4 255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.248.0 192.168.0.0 255.255.248.0
 
icmp unreachable rate-limit 1 burst-size 1
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 [hidden] 255
 
aaa-server DOMAIN protocol radius
aaa-server DOMAIN host 192.168.1.64
 timeout 5
 key 12345678911234567892123456789312
 radius-common-pw 12345678911234567892123456789312
 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.1.61 192.168.1.62
 dns-server value 192.168.1.61 192.168.1.62
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value DOMAIN
 
group-policy Laptops internal
group-policy Laptops attributes
 wins-server value 192.168.1.61 192.168.1.62
 dns-server value 192.168.1.61 192.168.1.62
 vpn-tunnel-protocol IPSec
 default-domain value DOMAIN
 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
 
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer [hidden]
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  3600
 
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group DOMAIN
 dhcp-server 192.168.1.61
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
 
tunnel-group [hidden] type ipsec-l2l
tunnel-group [hidden] ipsec-attributes
 pre-shared-key *
 
tunnel-group [hidden] type ipsec-l2l
tunnel-group [hidden] ipsec-attributes
 pre-shared-key *
 
tunnel-group Laptops type ipsec-ra
tunnel-group Laptops general-attributes
 authentication-server-group DOMAIN
 default-group-policy Laptops
 dhcp-server 192.168.1.61
tunnel-group Laptops ipsec-attributes
 pre-shared-key *
 
no vpn-addr-assign aaa
no vpn-addr-assign local
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 6 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros