• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 762
  • Last Modified:

Connect to internet through vpn cisco 871

Hi,

I'm trying to setup a VPN to my office. I've used easy vpn server to do it. I can connect from any client to the offcie and ping any computer on the office network. However I can't connect to internet with my current setup AND I DO NOT WANT USE SPLIT TUNNELING. I want that all the clients connect to internet through the VPN.

I'm using a Cisco router 871w and my config is:

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname D2-RTR001-LDN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXX...XXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.10 192.168.0.10
   domain-name d2see.lan
!
!
ip port-map user-remotedesktop port tcp 3389 list 2 description Microsoft Remote Desktop
ip inspect log drop-pkt
ip inspect udp idle-time 300
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 tcp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip tcp synwait-time 10
no ip bootp server
ip domain name d2see.lan
ip name-server 62.244.177.177
ip name-server 192.168.0.10
ip name-server 62.244.176.176
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin privilege 15 secret 5 XXXX...XXXX
username isaac secret 5 XXXX...XXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group d2see
 key XXXX...XXXX
 dns 195.235.113.3 192.168.0.10
 domain d2see.lan
 pool SDM_POOL_1
 max-users 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 83.244.217.196 255.255.255.192
 ip access-group 101 in
 ip verify unicast reverse-path
 ip mask-reply
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 FA22505B0D439F6CC14BB015373C transmit-key
 encryption mode wep mandatory
 !
 ssid MAIZE
    authentication open
    guest-mode
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 10.1.1.2 10.1.1.4
ip classless
ip route 0.0.0.0 0.0.0.0 83.244.217.193 permanent
ip route 192.168.200.0 255.255.255.0 192.168.0.200 permanent
ip route 192.168.201.0 255.255.255.0 192.168.0.201 permanent
ip route 192.168.202.0 255.255.255.0 192.168.0.202 permanent
ip route 192.168.203.0 255.255.255.0 192.168.0.203 permanent
ip route 192.168.204.0 255.255.255.0 192.168.0.204 permanent
ip route 192.168.206.0 255.255.255.0 192.168.0.206 permanent
ip route 192.168.207.0 255.255.255.0 192.168.0.207 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended test
 permit ip any host 10.1.1.2
 permit ip any host 10.1.1.3
 permit ip any host 10.1.1.4
!
logging trap debugging
access-list 100 permit ip any any log
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip host 10.1.1.2 any
access-list 101 permit ip host 10.1.1.3 any
access-list 101 permit ip host 10.1.1.4 any
access-list 101 permit udp any host 83.244.217.196 eq non500-isakmp
access-list 101 permit udp any host 83.244.217.196 eq isakmp
access-list 101 permit esp any host 83.244.217.196
access-list 101 permit ahp any host 83.244.217.196
access-list 101 deny   ip any any log
access-list 103 permit ip 10.1.1.0 0.0.0.255 any log
access-list 103 remark SDM_ACL Category=18
access-list 103 deny   ip any host 10.1.1.2
access-list 103 deny   ip any host 10.1.1.3
access-list 103 deny   ip any host 10.1.1.4
access-list 103 permit ip 192.168.0.0 0.0.0.255 any log
no cdp run
route-map test permit 1
 match ip address test
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
cbao_rambo
Asked:
cbao_rambo
  • 3
  • 3
1 Solution
 
cbao_ramboAuthor Commented:
Hi again,

I've been digging on the forums and it seems than I only need to add a nat rule. However, I don't know exactly which rule or even which type of rule.

ip nat inside destination
ip nat inside source
ip nat outside source

I also I'm thinking that maybe the reason of my problems is my firewall.

Please, HELP!!
0
 
JFrederick29Commented:
You need to configure NAT on a stick for the client VPN traffic.

For example:

interface Loopback0
 ip address 10.255.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

access-list 144 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any

route-map VPN-Client permit 10
 match ip address 144
 set ip next-hop 10.255.0.2

int f4
ip policy route-map VPN-Client


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
0
 
cbao_ramboAuthor Commented:
Hi again,

On relation with your previous comment if I'm not wrong the traffic comming from the VPN is redirected to the loopback interface and later goes back to internet. This is on this way because the security policy doesn't permit traffic that came and then go back by the same interfarce?

on the route map:
what does the line  set ip next-hop 10.255.0.2??

Why I have to apply the policy to the route map??

Thanks so much for your answer JFrederick29. I think I almost know how the traffic is going now. I'll try your solution as soon as nobody is on the office today.

Thanks again.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JFrederick29Commented:
>This is on this way because the security policy doesn't permit traffic that came and then go back by the same interfarce?

It's more a limitiation with NAT.  The traffic needs to traverse from and inside to outside or outside to inside interface.  The VPN client internet traffic goes from an outside to outside which doesn't work.  Using the loopback, you are routing the VPN client Internet traffic to the loopback (nat inside) then back out the f4 (nat outside) so NAT occurs which resolves this issue.

>what does the line  set ip next-hop 10.255.0.2??
It policy routes traffic based on access-list 144 (VPN clients) to the loopback0 interface for the "nat inside" requirement.

>Why I have to apply the policy to the route map??

Do you mean this?

int f4
ip policy route-map VPN-Client

This is applying it to the "Internet" interface for the VPN client traffic coming in.
0
 
cbao_ramboAuthor Commented:
Hi,

So, when I execute a line like on an interface:

ip policy route-map VPN-Client

This checks all the traffic on the interface and when matchs the rules on the access-list 144 then redirect the traffic to the nex-hop which in this case would be the network on the loopback interface. I guess that phisically the traffice arrives to the new network (10.255.0.0).

After that, the router listening on the ip 10.255.0.1 receive the traffic and redirect it to internet (on this case successfully because the nat problem has been previously solved).

Is all this right?

I also wanted to know on the line:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

the traffic is being redirected on any ways?

Thanks a lot.
0
 
JFrederick29Commented:
Yes, that is right.

No, this is only for outbound source IP address translation.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now