Solved

Enabling Cisco VPN client use of remote gateway internet connection

Posted on 2009-05-15
9
1,859 Views
Last Modified: 2012-06-27
Hi
I have a CISCO 871 and want remote VPN clients to be able to use its internet connection. ie any traffic not for the LAN behind the 871 gets routed back out on the incoming internet connection. What is the best way of achieving this?

Many thanks
0
Comment
Question by:Robin_Shipston
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398889
You want client Internet traffic to use their Internet connection?  If so, you need to enable split-tunneling.

For example:

ip access-list extended vpn-split-tunnel
 permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255   <--where 10.0.0.0/24 is the local LAN and 10.255.255.0 is the remote VPN pool

crypto isakmp client configuration group <groupname>
 acl vpn-split-tunnel
0
 

Author Comment

by:Robin_Shipston
ID: 24399097
Not their own internet connection, I want the clients to be able to use the internet connection of the remote gateway. The problem I am trying to overcome is state filtering of internet traffic. So I have VPN clients inside the filtered country that tunnel to head office in UK and can both access resources on the head office LAN and also use the head office internet connection there. Thus tunneling through the filtering.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24400736
Okay, you need to do the following on the main office router to get around the NAT limitations.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

0
 

Author Comment

by:Robin_Shipston
ID: 24401444
That looks spot on, cheers. I've spent hours looking on Cisco's website!
I'll let you know how I get on.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Robin_Shipston
ID: 24462565
Cisco example didn't work, just trying to find opportunity to work out why.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24472122
Can you post the router config with the changes you attempted so I can verify.
0
 

Author Comment

by:Robin_Shipston
ID: 24474490
Traceroute verifies that the config is now working, a trace from the VPN client goes straight out onto the internet connection of the remote gateway. However any other traffic is getting blocked on the return by an access list on the external interface, and I don't know what access list entries to make.

The replies for the VPN clients don't seem to be being associated with the requests and allowed back.

At the moment access list 101 is blocking replies. So for instance if the VPN client browses to www.bbc.co.uk there will be a log entry of "list 101 denied [www.bbc.co.ukIP](80)->[ExternalrouterIP](62693), 1 packet

Local users of course aren't affected by this blocking.






Building configuration...
 

Current configuration : 13203 bytes

!
 

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ******

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret *************

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local 

aaa authorization network sdm_vpn_group_ml_1 local 

!

aaa session-id common

!

resource policy

!

clock timezone PCTime 0

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.31 192.168.3.254

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.3.0 255.255.255.0

   dns-server 158.43.192.1 158.43.128.1 

   default-router 192.168.3.254 

!

!

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name homeip.net

ip name-server 158.43.192.1

ip name-server 158.43.128.1

ip ssh time-out 60

ip ssh authentication-retries 2

ip ddns update method sdm_ddns1

 HTTP

  add http:********

  remove *********

!

!

!

crypto pki trustpoint TP-self-signed-421072361

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-421072361

 revocation-check none

 rsakeypair TP-self-signed-421072361

!

!

crypto pki certificate chain TP-self-signed-421072361

 certificate self-signed 01

***************

  quit

username **********

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group Home

 key *********

 pool SDM_POOL_2

 max-users 10

 netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto dynamic-map SDM_DYNMAP_1 1

 set transform-set ESP-3DES-SHA 

 reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 

!

bridge irb

!

!

interface Loopback0

 ip address 10.11.0.1 255.255.255.252

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

 ip dhcp client update dns server none

 ip ddns update sdm_ddns1

 ip address dhcp client-id FastEthernet4

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect DEFAULT100 out

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 ip policy route-map VPN-Client

 duplex auto

 speed auto

 crypto map SDM_CMAP_1

!

interface Dot11Radio0

 no ip address

 !

 encryption key 1 size 40bit ********* transmit-key

 encryption mode ciphers tkip wep40 

 !

 ssid *******

    authentication open 

    wpa-psk ascii **********

 !

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

 bridge-group 1

 bridge-group 1 spanning-disabled

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

 no ip address

 ip tcp adjust-mss 1452

 bridge-group 1

!

interface BVI1

 description $ES_LAN$$FW_INSIDE$

 ip address 192.168.3.254 255.255.255.0

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1412

!

ip local pool SDM_POOL_1 192.168.3.180 192.168.3.190

ip local pool SDM_POOL_2 192.168.50.1 192.168.50.10

ip classless

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source static tcp 192.168.3.237 5001 interface FastEthernet4 5001

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

no logging trap

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 2 permit ************

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.50.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

******

access-list 100 deny   tcp any host 192.168.3.254 eq telnet

access-list 100 deny   tcp any host 192.168.3.254 eq 22

access-list 100 deny   tcp any host 192.168.3.254 eq www

access-list 100 deny   tcp any host 192.168.3.254 eq 443

access-list 100 deny   tcp any host 192.168.3.254 eq cmd

access-list 100 deny   udp any host 192.168.3.254 eq snmp

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.50.1 any

access-list 101 permit ip host 192.168.50.2 any

access-list 101 permit ip host 192.168.50.3 any

access-list 101 permit ip host 192.168.50.4 any

access-list 101 permit ip host 192.168.50.5 any

access-list 101 permit ip host 192.168.50.6 any

access-list 101 permit ip host 192.168.50.7 any

access-list 101 permit ip host 192.168.50.8 any

access-list 101 permit ip host 192.168.50.9 any

access-list 101 permit ip host 192.168.50.10 any

access-list 101 permit ip host 192.168.3.180 any

access-list 101 permit ip host 192.168.3.181 any

access-list 101 permit ip host 192.168.3.182 any

access-list 101 permit ip host 192.168.3.183 any

access-list 101 permit ip host 192.168.3.184 any

access-list 101 permit ip host 192.168.3.185 any

access-list 101 permit ip host 192.168.3.186 any

access-list 101 permit ip host 192.168.3.187 any

access-list 101 permit ip host 192.168.3.188 any

access-list 101 permit ip host 192.168.3.189 any

access-list 101 permit ip host 192.168.3.190 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

*********

*********

access-list 101 permit udp host 158.43.128.1 eq domain any

access-list 101 permit udp host 158.43.192.1 eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny   ip 192.168.3.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip any any log

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 192.168.50.0 0.0.0.255 any

access-list 102 permit ip host ********any

access-list 102 permit ip 192.168.3.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=2

access-list 103 deny   ip any host 192.168.50.1

access-list 103 deny   ip any host 192.168.50.2

access-list 103 deny   ip any host 192.168.50.3

access-list 103 deny   ip any host 192.168.50.4

access-list 103 deny   ip any host 192.168.50.5

access-list 103 deny   ip any host 192.168.50.6

access-list 103 deny   ip any host 192.168.50.7

access-list 103 deny   ip any host 192.168.50.8

access-list 103 deny   ip any host 192.168.50.9

access-list 103 deny   ip any host 192.168.50.10

access-list 103 deny   ip any host 192.168.3.180

access-list 103 deny   ip any host 192.168.3.181

access-list 103 deny   ip any host 192.168.3.182

access-list 103 deny   ip any host 192.168.3.183

access-list 103 deny   ip any host 192.168.3.184

access-list 103 deny   ip any host 192.168.3.185

access-list 103 deny   ip any host 192.168.3.186

access-list 103 deny   ip any host 192.168.3.187

access-list 103 deny   ip any host 192.168.3.188

access-list 103 deny   ip any host 192.168.3.189

access-list 103 deny   ip any host 192.168.3.190

access-list 103 permit ip 192.168.3.0 0.0.0.255 any

access-list 103 permit ip 192.168.50.0 0.0.0.255 any

access-list 104 permit ip 192.168.50.0 0.0.0.255 any

snmp-server community admin RO

no cdp run

route-map vpn-loop permit 10

!

route-map VPN-Client permit 10

 match ip address 104

 set ip next-hop 10.11.0.2

!

route-map SDM_RMAP_1 permit 1

 match ip address 103

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 no modem enable

 transport output telnet

line aux 0

 transport output telnet

line vty 0 4

 access-class 102 in

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp server 158.43.128.33 source FastEthernet4 prefer

end

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 24475106
First try adding this:

conf t
int f4
ip inspect DEFAULT100 in

If that doesn't work, add this to the access-list:

conf t
ip access-list ext 101
no deny ip any any log
permit tcp any any established
permit udp any eq 53 any
deny ip any any log

This will allow the return traffic.
0
 

Author Closing Comment

by:Robin_Shipston
ID: 31581887
Excellent, works a treat! Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now