GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IOS VPN and split tunneling [7:85826] posted 03/14/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Yeah I have already checked this and the clients aren't being natted, and I
know this is the problem but I have no clue of how to fix it or if it can
even be fixed.

> -----Original Message-----
> From: Jsnatan ^. Jsnasson [mailto:jonatan@xxxxxxxxxx]
> Sent: Sunday, March 14, 2004 8:17 AM
> To: Elijah Savage
> Cc: cisco@xxxxxxxxxxxxxx
> Subject: RE: IOS VPN and split tunneling [7:85826]
> 
> are the vpn clients being natted?
> if you do a "show ip nat trans" you should see if the
> vpn clients are going through the nat or not.
> 
> I'm no expert in VPNs, but if clients are coming in via ethernet 1, and
> going out again via ethernet 1 (internet?) therefor never going through
> the ethernet0 interface that has the "ip nat inside" statement?
> 
> Anyway, just a guess...
> 
> Jonatan
> 
> 
> 
> > With this config below I can get to all the lan clients but I can't get
> > out to the net unless I put in split tunneling.
> >
> > cyborg#sh conf
> > Using 4593 out of 131072 bytes
> > !
> > ! Last configuration change at 21:33:47 America Sat Mar 13 2004 by
> > esavage
> > ! NVRAM config last updated at 21:33:48 America Sat Mar 13 2004 by
> > esavage
> > !
> > version 12.3
> > no service pad
> > service tcp-keepalives-in
> > service tcp-keepalives-out
> > service timestamps debug datetime msec localtime show-timezone
> > service timestamps log datetime msec localtime show-timezone
> > service password-encryption
> > service sequence-numbers
> > !
> > hostname cyborg
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > logging buffered 51200 debugging
> > logging console critical
> > enable secret 5 XXX
> > !
> > username XXX password 7 XXXX
> > clock timezone America/New_York -5
> > clock summer-time America/New_York date Apr 6 2003 2:00 Oct 26 2003 2:00
> > aaa new-model
> > !
> > !
> > aaa authentication login userauthen local
> > aaa authorization network groupauthor local
> > aaa session-id common
> > ip subnet-zero
> > no ip source-route
> > ip tcp synwait-time 10
> > !
> > no ip bootp server
> > ip cef
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 60
> > ip ssh authentication-retries 2
> > no ftp-server write-enable
> > !
> > !
> > !
> > !
> > crypto isakmp policy 3
> >  encr 3des
> >  hash md5
> >  authentication pre-share
> >  group 2
> > !
> > crypto isakmp client configuration group XXX
> >  key XXX
> >  dns 192.168.X.X
> >  wins 192.168.X.X
> >  pool test-pool
> > !
> > !
> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > !
> > crypto dynamic-map dynmap 10
> >  set transform-set myset
> > !
> > !
> > crypto map clientmap client authentication list userauthen
> > crypto map clientmap isakmp authorization list groupauthor
> > crypto map clientmap client configuration address respond
> > crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> > !
> > !
> > !
> > !
> > interface Null0
> >  no ip unreachables
> > !
> > interface Ethernet0
> >  description $FW_INSIDE$$ETH-LAN$
> >  ip address 192.168.X.X 255.255.255.0
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  ip nat inside
> >  ip route-cache flow
> >  no cdp enable
> > !
> > interface Ethernet1
> >  description $FW_OUTSIDE$$ETH-WAN$
> >  ip address dhcp client-id Ethernet1
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  ip nat outside
> >  ip route-cache flow
> >  duplex auto
> >  no cdp enable
> >  crypto map clientmap
> > !
> > ip local pool test-pool 192.168.1.1 192.168.1.254
> > ip nat inside source route-map nonat interface Ethernet1 overload
> > ip classless
> > ip http server
> > ip http access-class 2
> > ip http authentication local
> > ip http secure-server
> > !
> > !
> > logging trap debugging
> > access-list 2 remark HTTP Access-class list
> > access-list 2 remark SDM_ACL Category=1
> > access-list 2 permit 192.168.26.0 0.0.0.255
> > access-list 2 deny   any
> > access-list 105 remark VTY Access-class list
> > access-list 105 remark SDM_ACL Category=1
> > access-list 105 permit ip 192.168.X.X 0.0.0.255 any
> > access-list 105 permit ip host 24.X.X.X any
> > access-list 105 deny   ip any any
> > access-list 110 remark Cisco VPN Client Access to Local Lan
> > access-list 110 deny   ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
> > access-list 110 permit ip 192.168.26.0 0.0.0.255 any
> > access-list 110 permit ip 192.168.1.0 0.0.0.255 any
> > no cdp run
> > route-map nonat permit 10
> >  match ip address 110
> > !
> > !
> > control-plane
> > !
> > banner login ^CAuthorized access only!
> >  Disconnect IMMEDIATELY if you are not an authorized user!^C
> >
> >> -----Original Message-----
> >> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> > Of
> >> Elijah Savage
> >> Sent: Saturday, March 13, 2004 9:28 PM
> >> To: cisco@xxxxxxxxxxxxxx
> >> Subject: RE: IOS VPN and split tunneling [7:85826]
> >>
> >> I have done this via access-list but my vpn clients can't get out to
> > the
> >> net.
> >>
> >> > -----Original Message-----
> >> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> >> Of
> >> > Joseph Brunner
> >> > Sent: Saturday, March 13, 2004 1:23 PM
> >> > To: cisco@xxxxxxxxxxxxxx
> >> > Subject: RE: IOS VPN and split tunneling [7:85826]
> >> >
> >> > can't you only permit the "interesting" networks you use
> >> > inside the router, and DENY all else ?
> >> > **Please support GroupStudy by purchasing from the GroupStudy Store:
> >> > http://shop.groupstudy.com
> >> > FAQ, list archives, and subscription info:
> >> > http://www.groupstudy.com/list/cisco.html
> >> **Please support GroupStudy by purchasing from the GroupStudy Store:
> >> http://shop.groupstudy.com
> >> FAQ, list archives, and subscription info:
> >> http://www.groupstudy.com/list/cisco.html
> > **Please support GroupStudy by purchasing from the GroupStudy Store:
> > http://shop.groupstudy.com
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=85839&t=85826
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html