Solved

Enabling Cisco VPN client use of remote gateway internet connection

Posted on 2009-05-15
9
1,866 Views
Last Modified: 2012-06-27
Hi
I have a CISCO 871 and want remote VPN clients to be able to use its internet connection. ie any traffic not for the LAN behind the 871 gets routed back out on the incoming internet connection. What is the best way of achieving this?

Many thanks
0
Comment
Question by:Robin_Shipston
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398889
You want client Internet traffic to use their Internet connection?  If so, you need to enable split-tunneling.

For example:

ip access-list extended vpn-split-tunnel
 permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255   <--where 10.0.0.0/24 is the local LAN and 10.255.255.0 is the remote VPN pool

crypto isakmp client configuration group <groupname>
 acl vpn-split-tunnel
0
 

Author Comment

by:Robin_Shipston
ID: 24399097
Not their own internet connection, I want the clients to be able to use the internet connection of the remote gateway. The problem I am trying to overcome is state filtering of internet traffic. So I have VPN clients inside the filtered country that tunnel to head office in UK and can both access resources on the head office LAN and also use the head office internet connection there. Thus tunneling through the filtering.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24400736
Okay, you need to do the following on the main office router to get around the NAT limitations.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Robin_Shipston
ID: 24401444
That looks spot on, cheers. I've spent hours looking on Cisco's website!
I'll let you know how I get on.
0
 

Author Comment

by:Robin_Shipston
ID: 24462565
Cisco example didn't work, just trying to find opportunity to work out why.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24472122
Can you post the router config with the changes you attempted so I can verify.
0
 

Author Comment

by:Robin_Shipston
ID: 24474490
Traceroute verifies that the config is now working, a trace from the VPN client goes straight out onto the internet connection of the remote gateway. However any other traffic is getting blocked on the return by an access list on the external interface, and I don't know what access list entries to make.

The replies for the VPN clients don't seem to be being associated with the requests and allowed back.

At the moment access list 101 is blocking replies. So for instance if the VPN client browses to www.bbc.co.uk there will be a log entry of "list 101 denied [www.bbc.co.ukIP](80)->[ExternalrouterIP](62693), 1 packet

Local users of course aren't affected by this blocking.





Building configuration...
 
Current configuration : 13203 bytes
!
 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ******
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret *************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.31 192.168.3.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.3.0 255.255.255.0
   dns-server 158.43.192.1 158.43.128.1 
   default-router 192.168.3.254 
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name homeip.net
ip name-server 158.43.192.1
ip name-server 158.43.128.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
 HTTP
  add http:********
  remove *********
!
!
!
crypto pki trustpoint TP-self-signed-421072361
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-421072361
 revocation-check none
 rsakeypair TP-self-signed-421072361
!
!
crypto pki certificate chain TP-self-signed-421072361
 certificate self-signed 01
***************
  quit
username **********
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group Home
 key *********
 pool SDM_POOL_2
 max-users 10
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
bridge irb
!
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip dhcp client update dns server none
 ip ddns update sdm_ddns1
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map VPN-Client
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit ********* transmit-key
 encryption mode ciphers tkip wep40 
 !
 ssid *******
    authentication open 
    wpa-psk ascii **********
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.3.254 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.3.180 192.168.3.190
ip local pool SDM_POOL_2 192.168.50.1 192.168.50.10
ip classless
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 192.168.3.237 5001 interface FastEthernet4 5001
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
no logging trap
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 2 permit ************
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
******
access-list 100 deny   tcp any host 192.168.3.254 eq telnet
access-list 100 deny   tcp any host 192.168.3.254 eq 22
access-list 100 deny   tcp any host 192.168.3.254 eq www
access-list 100 deny   tcp any host 192.168.3.254 eq 443
access-list 100 deny   tcp any host 192.168.3.254 eq cmd
access-list 100 deny   udp any host 192.168.3.254 eq snmp
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.50.1 any
access-list 101 permit ip host 192.168.50.2 any
access-list 101 permit ip host 192.168.50.3 any
access-list 101 permit ip host 192.168.50.4 any
access-list 101 permit ip host 192.168.50.5 any
access-list 101 permit ip host 192.168.50.6 any
access-list 101 permit ip host 192.168.50.7 any
access-list 101 permit ip host 192.168.50.8 any
access-list 101 permit ip host 192.168.50.9 any
access-list 101 permit ip host 192.168.50.10 any
access-list 101 permit ip host 192.168.3.180 any
access-list 101 permit ip host 192.168.3.181 any
access-list 101 permit ip host 192.168.3.182 any
access-list 101 permit ip host 192.168.3.183 any
access-list 101 permit ip host 192.168.3.184 any
access-list 101 permit ip host 192.168.3.185 any
access-list 101 permit ip host 192.168.3.186 any
access-list 101 permit ip host 192.168.3.187 any
access-list 101 permit ip host 192.168.3.188 any
access-list 101 permit ip host 192.168.3.189 any
access-list 101 permit ip host 192.168.3.190 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
*********
*********
access-list 101 permit udp host 158.43.128.1 eq domain any
access-list 101 permit udp host 158.43.192.1 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip host ********any
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip any host 192.168.50.1
access-list 103 deny   ip any host 192.168.50.2
access-list 103 deny   ip any host 192.168.50.3
access-list 103 deny   ip any host 192.168.50.4
access-list 103 deny   ip any host 192.168.50.5
access-list 103 deny   ip any host 192.168.50.6
access-list 103 deny   ip any host 192.168.50.7
access-list 103 deny   ip any host 192.168.50.8
access-list 103 deny   ip any host 192.168.50.9
access-list 103 deny   ip any host 192.168.50.10
access-list 103 deny   ip any host 192.168.3.180
access-list 103 deny   ip any host 192.168.3.181
access-list 103 deny   ip any host 192.168.3.182
access-list 103 deny   ip any host 192.168.3.183
access-list 103 deny   ip any host 192.168.3.184
access-list 103 deny   ip any host 192.168.3.185
access-list 103 deny   ip any host 192.168.3.186
access-list 103 deny   ip any host 192.168.3.187
access-list 103 deny   ip any host 192.168.3.188
access-list 103 deny   ip any host 192.168.3.189
access-list 103 deny   ip any host 192.168.3.190
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
snmp-server community admin RO
no cdp run
route-map vpn-loop permit 10
!
route-map VPN-Client permit 10
 match ip address 104
 set ip next-hop 10.11.0.2
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 158.43.128.33 source FastEthernet4 prefer
end

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 24475106
First try adding this:

conf t
int f4
ip inspect DEFAULT100 in

If that doesn't work, add this to the access-list:

conf t
ip access-list ext 101
no deny ip any any log
permit tcp any any established
permit udp any eq 53 any
deny ip any any log

This will allow the return traffic.
0
 

Author Closing Comment

by:Robin_Shipston
ID: 31581887
Excellent, works a treat! Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall VPN 17 84
OpenVPN Access Server in EC2 Connectivity Issues 1 51
Trouble with VPN DENY rules on sonicwall 1 34
Teamviewer vpn for dc replication 9 21
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question