GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IOS VPN and split tunneling [7:85826] posted 03/14/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


are the vpn clients being natted?
if you do a "show ip nat trans" you should see if the
vpn clients are going through the nat or not.

I'm no expert in VPNs, but if clients are coming in via ethernet 1, and
going out again via ethernet 1 (internet?) therefor never going through
the ethernet0 interface that has the "ip nat inside" statement?

Anyway, just a guess...

Jonatan



> With this config below I can get to all the lan clients but I can't get
> out to the net unless I put in split tunneling.
>
> cyborg#sh conf
> Using 4593 out of 131072 bytes
> !
> ! Last configuration change at 21:33:47 America Sat Mar 13 2004 by
> esavage
> ! NVRAM config last updated at 21:33:48 America Sat Mar 13 2004 by
> esavage
> !
> version 12.3
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname cyborg
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 debugging
> logging console critical
> enable secret 5 XXX
> !
> username XXX password 7 XXXX
> clock timezone America/New_York -5
> clock summer-time America/New_York date Apr 6 2003 2:00 Oct 26 2003 2:00
> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> ip tcp synwait-time 10
> !
> no ip bootp server
> ip cef
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 3
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> !
> crypto isakmp client configuration group XXX
>  key XXX
>  dns 192.168.X.X
>  wins 192.168.X.X
>  pool test-pool
> !
> !
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> !
> crypto dynamic-map dynmap 10
>  set transform-set myset
> !
> !
> crypto map clientmap client authentication list userauthen
> crypto map clientmap isakmp authorization list groupauthor
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !
> interface Null0
>  no ip unreachables
> !
> interface Ethernet0
>  description $FW_INSIDE$$ETH-LAN$
>  ip address 192.168.X.X 255.255.255.0
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip nat inside
>  ip route-cache flow
>  no cdp enable
> !
> interface Ethernet1
>  description $FW_OUTSIDE$$ETH-WAN$
>  ip address dhcp client-id Ethernet1
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip nat outside
>  ip route-cache flow
>  duplex auto
>  no cdp enable
>  crypto map clientmap
> !
> ip local pool test-pool 192.168.1.1 192.168.1.254
> ip nat inside source route-map nonat interface Ethernet1 overload
> ip classless
> ip http server
> ip http access-class 2
> ip http authentication local
> ip http secure-server
> !
> !
> logging trap debugging
> access-list 2 remark HTTP Access-class list
> access-list 2 remark SDM_ACL Category=1
> access-list 2 permit 192.168.26.0 0.0.0.255
> access-list 2 deny   any
> access-list 105 remark VTY Access-class list
> access-list 105 remark SDM_ACL Category=1
> access-list 105 permit ip 192.168.X.X 0.0.0.255 any
> access-list 105 permit ip host 24.X.X.X any
> access-list 105 deny   ip any any
> access-list 110 remark Cisco VPN Client Access to Local Lan
> access-list 110 deny   ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.26.0 0.0.0.255 any
> access-list 110 permit ip 192.168.1.0 0.0.0.255 any
> no cdp run
> route-map nonat permit 10
>  match ip address 110
> !
> !
> control-plane
> !
> banner login ^CAuthorized access only!
>  Disconnect IMMEDIATELY if you are not an authorized user!^C
>
>> -----Original Message-----
>> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> Of
>> Elijah Savage
>> Sent: Saturday, March 13, 2004 9:28 PM
>> To: cisco@xxxxxxxxxxxxxx
>> Subject: RE: IOS VPN and split tunneling [7:85826]
>>
>> I have done this via access-list but my vpn clients can't get out to
> the
>> net.
>>
>> > -----Original Message-----
>> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
>> Of
>> > Joseph Brunner
>> > Sent: Saturday, March 13, 2004 1:23 PM
>> > To: cisco@xxxxxxxxxxxxxx
>> > Subject: RE: IOS VPN and split tunneling [7:85826]
>> >
>> > can't you only permit the "interesting" networks you use
>> > inside the router, and DENY all else ?
>> > **Please support GroupStudy by purchasing from the GroupStudy Store:
>> > http://shop.groupstudy.com
>> > FAQ, list archives, and subscription info:
>> > http://www.groupstudy.com/list/cisco.html
>> **Please support GroupStudy by purchasing from the GroupStudy Store:
>> http://shop.groupstudy.com
>> FAQ, list archives, and subscription info:
>> http://www.groupstudy.com/list/cisco.html
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=85837&t=85826
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html