[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Michael K. Smith mksmith at adhost.com
Wed Aug 27 22:38:22 EDT 2008


Hello Mark:

Unless I'm misreading your intent, it looks like what you are trying to
accomplish is split-tunneling, such that only traffic from your
VPN-connected Windows machines and your protected net is getting tunneled,
while everything else is handled outside the tunnel.  If this is correct,
take a look at:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a008032b637.shtml

Regards,

Mike


On 8/26/08 7:01 AM, "Marc Haber" <mh+cisco-nsp at zugschlus.de> wrote:

> Hi,
> 
> this is strictly a client issue and not appropriate for cisco-nsp, but
> I haven't found any mailing list with this clue level for other
> cisco-related aspects. If there is one, I'd like to learn about it.
> 
> I have a bunch of Windows clients with the Cisco VPN Client
> 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as
> follows:
> 
> aaa new-model
> !
> aaa authentication login default local
> aaa authentication login userauthen local
> aaa authentication login localauth local
> aaa authorization exec default local
> aaa authorization network groupauthor local
> !
> aaa session-id common
> !
> resource policy
> !
> ip cef
> !
> username marc.haber privilege 15 secret 5 <snip>
> !
> crypto isakmp policy 3
>  encr aes 256
>  authentication pre-share
>  group 2
> !
> crypto isakmp client configuration group InternClient
>  key onsh4OcyivOafmyodzet
>  dns 10.1.2.11 10.1.2.15
>  wins 10.1.2.11 10.1.2.15
>  domain example.com
>  pool ippool
>  acl DefaultrouteTunnel
> !
> !
> crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac
> !
> crypto dynamic-map InternDynmap 10
>  set transform-set InternTransformSet
>  reverse-route
> !
> !
> crypto map InternClientMap client authentication list userauthen
> crypto map InternClientMap isakmp authorization list groupauthor
> crypto map InternClientMap client configuration address respond
> crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap
> !
> interface FastEthernet0/0
>  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
>  ip address 172.26.248.10 255.255.255.248
>  duplex auto
>  speed auto
>  crypto map InternClientMap
> !
> ip access-list extended DefaultrouteTunnel
>  permit ip any any
> ip access-list extended DefaultrouteWithoutListedNetsTunnel
>  deny   ip 192.168.8.0 0.0.0.255 any
>  permit ip any any
> !
> 
> With this configuration, a client cannot communicate at all outside
> the tunnel, which is a desired feature in this setup. OTOH, some
> teleworkers would appreciate to be able to talk to their networked
> printers on the local LANs.
> 
> I have received the advice of adding the local networks of all
> teleworkers to an access list, which has resulted in the
> "DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to
> work, traffic for 192.168.8.3 still goes into the tunnel after I
> changed the acl reference in the crypto isakmp client configuration
> group InternClient. Also, I do not see any changes in the Windows
> client's routing tables.
> 
> Can someone advice what I am doing wrong here? Additionally, do I
> really need to exclude all local networks of all teleworkers in the
> global configuration, or is it possible to control this on a
> per-client basis?
> 
> All web-based documentation I have found deals with the VPN
> Concentrator series which do not seem to use IOS - at least I cannot
> make sense of the advice found there in my configuration.
> 
> Any hints will be appreciated.
> 
> Greetings
> Marc



More information about the cisco-nsp mailing list