[c-nsp] Cisco Software Client -> Router VPN issue.

Mon Jan 5 11:48:15 EST 2009

Looking at this, I'm making 2 assumptions.

1) The client is connecting on the S0/0 interface to establish the VPN connection and
2) You're not using split-tunneling.

If both of those are the case, then this is a classic PIX/ASA 'problem'. You're trying to 'hairpin' the traffic. A PIX/ASA won't allow you to have a packet come in on an interface, and go back out the same interface. In order to allow this, you need to allow split tunneling, and have the end-user only tunnel traffic to your internal network, and use it's own normal internet connection for the rest.

Or, figure out a way for the tunnel to terminate on S0/0, and have it somehow send it's internet traffic out the F0/0 interface.

For the split tunneling, personally I don't like allowing it, due to the fact that if an end-use has a Trojan on their machine, they have access to both your internal network, and the public internet at the same time, allowing a malicious person to be able to access your internal network interactively. At least disabling split tunneling provides an additional layer or protection. (my $0.02)

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers
Sent: Monday, January 05, 2009 8:38 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco Software Client -> Router VPN issue.

I¹m trying to solve a problem with setting up the remote VPN access using
the Cisco VPN software client.  I have gotten it to the point where a user
can remotely tunnel to the router from their Doze PC, log in, receive an
IP in the 10.x.x.x network, and ping something on the 192.168.100.x
network.

However, they can¹t surf to the outside internet over that tunneld
connection. 

I¹ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn¹t get NATed properly, but
I¹m unsure on what to do to the config to fix this.  Normal 192.168.100.x
Ethernet-connected PCs in the home office can surf and do everything just
fine.

Can someone offer a tidbit?

Thanks!
Chris

aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
username somebody password 0 my_password
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SomeVPN
 key my_key
 pool ourpool
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec transform-set trans2 esp-des esp-sha-hmac
crypto ipsec transform-set trans3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set trans3
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
 description Office LAN
 ip address 192.168.100.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Serial0/0
 ip address my_ip 255.255.255.252
 ip nat outside
 crypto map intmap
!
ip local pool ourpool 10.0.0.1 10.0.0.254
ip default-gateway upstream_ip
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended NATRules
 deny   ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
route-map nonat permit 11
 match ip address NATRules
!
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/