Solved

Cisco VPN on a router that is not the default gateway?

Posted on 2009-04-01
6
739 Views
Last Modified: 2012-05-06
I installed a Cisco 2621 Router that is supposed to provide VPN access into a network. The VPN connects fine, but I am only able to ping a couple of switches. I suspect it is because the Router that is providing the VPN is not the default gatewaty for the network. Is there any way to force the cisco to blindly push all traffic to an internal IP address (the default gateway) or do I just have my access-lists wrong?

Below are the interesting portions of my config.
crypto isakmp policy 3

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group vpn-mobile-user

 key

 dns

 domain

 pool ippool

 acl 105

!

!

crypto ipsec transform-set default-set esp-3des esp-sha-hmac 

crypto mib topn interval 60

!

crypto dynamic-map default-map 13

 set transform-set default-set 

!

!

crypto map mobile-map client authentication list vpn-mobile-user

crypto map mobile-map isakmp authorization list vpn-mobile-user

crypto map mobile-map client configuration address respond

crypto map mobile-map 13 ipsec-isakmp dynamic default-map 

!

!

interface FastEthernet0/0

 ip address x.x.x.x 255.255.255.248

 ip nat outside

 half-duplex

 no cdp enable

 crypto map mobile-map

!

interface FastEthernet0/1

 ip address 10.27.205.101 255.255.255.0

 ip nat inside

 speed auto

 no cdp enable

!

router eigrp 100

 redistribute static

 network 10.27.205.0 0.0.0.255

 no auto-summary

!

ip local pool ippool 10.27.206.100 10.27.206.199

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

no ip http secure-server

!

!

!

access-list 105 permit ip 10.27.205.0 0.0.0.255 10.27.206.0 0.0.0.255

access-list 125 deny   ip 10.27.205.0 0.0.0.255 10.27.206.0 0.0.0.255

access-list 125 deny   ip 10.27.205.0 0.0.0.255 10.27.205.0 0.0.0.255

access-list 125 permit ip 10.27.205.0 0.0.0.255 any

no cdp run

!

route-map nonat permit 10

 match ip address 125

Open in new window

0
Comment
Question by:ulink
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:mitrushi
ID: 24047738
You are using split tunneling defined by acl 105. This means that the remote client will know only this subnet and will route and encrypt data only for this subnet. You can include more subnets into this list or remove the list altogether, in which case all traffic on the remote client will be routed through the vpn tunnel. For the main site to know how to route traffic to the vpn client you can add reverse-route to your config under dynamic-map or add static routes manually to your config. You can find an excellent series on vpn and other topics at this link http://www.nil.com/ipcorner
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24067176
>ip local pool ippool 10.27.206.100 10.27.206.199
Just add a static route on the router that is the default gateway, pointing this subnet to this vpn router.
0
 

Author Comment

by:ulink
ID: 24088416
That did the trick, thanks
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 7

Expert Comment

by:mitrushi
ID: 24089171
Out of curiosity, can vpn users on the 10.27.206.100 10.27.206.199 pool have access to all your internal subnets just by adding the static route on your default gateway router? It was my undestanding that the vpn client will insert routes only for subnets specified on the split tunnel acl.
0
 

Author Comment

by:ulink
ID: 24091462
I believe the problem in this case is that packets could get into the network, but nothing could get back out because all packets not destined for the internal network get sent to the Router. SO the Router needs to know how to get the packets back to the ip pool.
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24091566
Yes, of course this is the case for traffic coming from the vpn ip pool towards the 10.27.205.0/24 subnet declared on acl 105. I assumed that you wanted to give access to other internal subnets beside the 10.27.205.0 subnet. This is why I suggested the modification of acl 105. This issue is separate from adding the necessary routes from your main router to the vpn router.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now