Robin_Shipston
asked on
Enabling Cisco VPN client use of remote gateway internet connection
Hi
I have a CISCO 871 and want remote VPN clients to be able to use its internet connection. ie any traffic not for the LAN behind the 871 gets routed back out on the incoming internet connection. What is the best way of achieving this?
Many thanks
I have a CISCO 871 and want remote VPN clients to be able to use its internet connection. ie any traffic not for the LAN behind the 871 gets routed back out on the incoming internet connection. What is the best way of achieving this?
Many thanks
ASKER
Not their own internet connection, I want the clients to be able to use the internet connection of the remote gateway. The problem I am trying to overcome is state filtering of internet traffic. So I have VPN clients inside the filtered country that tunnel to head office in UK and can both access resources on the head office LAN and also use the head office internet connection there. Thus tunneling through the filtering.
Okay, you need to do the following on the main office router to get around the NAT limitations.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
ASKER
That looks spot on, cheers. I've spent hours looking on Cisco's website!
I'll let you know how I get on.
I'll let you know how I get on.
ASKER
Cisco example didn't work, just trying to find opportunity to work out why.
Can you post the router config with the changes you attempted so I can verify.
ASKER
Traceroute verifies that the config is now working, a trace from the VPN client goes straight out onto the internet connection of the remote gateway. However any other traffic is getting blocked on the return by an access list on the external interface, and I don't know what access list entries to make.
The replies for the VPN clients don't seem to be being associated with the requests and allowed back.
At the moment access list 101 is blocking replies. So for instance if the VPN client browses to www.bbc.co.uk there will be a log entry of "list 101 denied [www.bbc.co.ukIP](80)->[ExternalrouterIP] (62693), 1 packet
Local users of course aren't affected by this blocking.
The replies for the VPN clients don't seem to be being associated with the requests and allowed back.
At the moment access list 101 is blocking replies. So for instance if the VPN client browses to www.bbc.co.uk there will be a log entry of "list 101 denied [www.bbc.co.ukIP](80)->[ExternalrouterIP]
Local users of course aren't affected by this blocking.
Building configuration...
Current configuration : 13203 bytes
!
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ******
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret *************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.31 192.168.3.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.3.0 255.255.255.0
dns-server 158.43.192.1 158.43.128.1
default-router 192.168.3.254
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name homeip.net
ip name-server 158.43.192.1
ip name-server 158.43.128.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
HTTP
add http:********
remove *********
!
!
!
crypto pki trustpoint TP-self-signed-421072361
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-421072361
revocation-check none
rsakeypair TP-self-signed-421072361
!
!
crypto pki certificate chain TP-self-signed-421072361
certificate self-signed 01
***************
quit
username **********
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Home
key *********
pool SDM_POOL_2
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip dhcp client update dns server none
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit ********* transmit-key
encryption mode ciphers tkip wep40
!
ssid *******
authentication open
wpa-psk ascii **********
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.3.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.3.180 192.168.3.190
ip local pool SDM_POOL_2 192.168.50.1 192.168.50.10
ip classless
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 192.168.3.237 5001 interface FastEthernet4 5001
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
no logging trap
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 2 permit ************
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
******
access-list 100 deny tcp any host 192.168.3.254 eq telnet
access-list 100 deny tcp any host 192.168.3.254 eq 22
access-list 100 deny tcp any host 192.168.3.254 eq www
access-list 100 deny tcp any host 192.168.3.254 eq 443
access-list 100 deny tcp any host 192.168.3.254 eq cmd
access-list 100 deny udp any host 192.168.3.254 eq snmp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.50.1 any
access-list 101 permit ip host 192.168.50.2 any
access-list 101 permit ip host 192.168.50.3 any
access-list 101 permit ip host 192.168.50.4 any
access-list 101 permit ip host 192.168.50.5 any
access-list 101 permit ip host 192.168.50.6 any
access-list 101 permit ip host 192.168.50.7 any
access-list 101 permit ip host 192.168.50.8 any
access-list 101 permit ip host 192.168.50.9 any
access-list 101 permit ip host 192.168.50.10 any
access-list 101 permit ip host 192.168.3.180 any
access-list 101 permit ip host 192.168.3.181 any
access-list 101 permit ip host 192.168.3.182 any
access-list 101 permit ip host 192.168.3.183 any
access-list 101 permit ip host 192.168.3.184 any
access-list 101 permit ip host 192.168.3.185 any
access-list 101 permit ip host 192.168.3.186 any
access-list 101 permit ip host 192.168.3.187 any
access-list 101 permit ip host 192.168.3.188 any
access-list 101 permit ip host 192.168.3.189 any
access-list 101 permit ip host 192.168.3.190 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
*********
*********
access-list 101 permit udp host 158.43.128.1 eq domain any
access-list 101 permit udp host 158.43.192.1 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip host ********any
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip any host 192.168.50.1
access-list 103 deny ip any host 192.168.50.2
access-list 103 deny ip any host 192.168.50.3
access-list 103 deny ip any host 192.168.50.4
access-list 103 deny ip any host 192.168.50.5
access-list 103 deny ip any host 192.168.50.6
access-list 103 deny ip any host 192.168.50.7
access-list 103 deny ip any host 192.168.50.8
access-list 103 deny ip any host 192.168.50.9
access-list 103 deny ip any host 192.168.50.10
access-list 103 deny ip any host 192.168.3.180
access-list 103 deny ip any host 192.168.3.181
access-list 103 deny ip any host 192.168.3.182
access-list 103 deny ip any host 192.168.3.183
access-list 103 deny ip any host 192.168.3.184
access-list 103 deny ip any host 192.168.3.185
access-list 103 deny ip any host 192.168.3.186
access-list 103 deny ip any host 192.168.3.187
access-list 103 deny ip any host 192.168.3.188
access-list 103 deny ip any host 192.168.3.189
access-list 103 deny ip any host 192.168.3.190
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
snmp-server community admin RO
no cdp run
route-map vpn-loop permit 10
!
route-map VPN-Client permit 10
match ip address 104
set ip next-hop 10.11.0.2
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 158.43.128.33 source FastEthernet4 prefer
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent, works a treat! Thanks
For example:
ip access-list extended vpn-split-tunnel
permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255 <--where 10.0.0.0/24 is the local LAN and 10.255.255.0 is the remote VPN pool
crypto isakmp client configuration group <groupname>
acl vpn-split-tunnel