[c-nsp] cisco VPN client to an IOS router: sending ALL traffic thru the VPN

Philippe Strauss philou at philou.ch
Wed Jul 4 05:13:44 EDT 2007 

Hello,

I'm trying to setup a small router (c876) for a customer, with a VPN
setup such that VPN client get the default route thru the VPN, hence all
traffic goes thru the VPN (no split-tunneling). Along with NAT on the
"central" c876, it's not easy as it seems.

Basically, client VPN enter thru the outside interface and should goes
out via the same interface. It never pass thru an "nat inside"
interface.

There's a trick documented by cisco using policy routing and a loopback
interface: you match the vpn client pool ip in a route-map, send it to
the loopback on which you have configured "nat inside".

The cisco doco:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

unfortunately it doesn't work for me with the following:
(I've got a lot of log on the last deny statement of the NAT ACL 101,
which looks suspicious: ip src 195.70.21.191 (outside int) to my test
vpn client on TCP)

Any help appreciated!

!
version 12.4
!
logging buffered 131072
!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool LAN-DHCP
   network 192.168.1.0 255.255.255.0
   dns-server 195.70.1.100 195.70.10.100 
   default-router 192.168.1.1 
   domain-name dfi.ch
!
no ip domain lookup
ip name-server 195.70.1.100
ip name-server 195.70.10.100
ip inspect name firewall icmp
ip inspect name firewall udp
ip inspect name firewall tcp
ip inspect name firewall ftp
!
multilink bundle-name authenticated
!
no spanning-tree vlan 1
username BLAH privilege X password 7 XXX
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group CLIENTNAME
 key XXXXXXXX
 pool VPNPOOL
 save-password
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac 
!
crypto dynamic-map DYNMAP 10
 set transform-set MYSET
 ! tried with no luck:
 ! reverse-route
!
crypto map CLIENTMAP client authentication list userauthen
crypto map CLIENTMAP isakmp authorization list groupauthor
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP 
!
interface Loopback0
 description for NATing outside VPN traffic
 ip address 192.168.254.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto 
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 ip policy route-map VPN-OUT-NAT
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname BLAH
 ppp chap password 7 XXXXX
 crypto map CLIENTMAP
!
ip local pool VPNPOOL 192.168.2.10 192.168.2.30
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer1 overload
!
access-list 101 remark NAT
access-list 101 remark Deny LAN to VPN clients
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark Deny VPN clients to LAN
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark Permit LAN to anywhere
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark Permit VPN clients to anywhere (no split-tunnel)
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip any any log
access-list 106 remark VPN POOL (for pol routing)
access-list 106 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map VPN-OUT-NAT permit 10
 match ip address 106
 set interface Loopback0
 ! tried with no luck:
 ! set ip next-hop 192.168.254.1
!

-- 
Philippe Strauss
av. de Beaulieu 25
1004 Lausanne
http://philou.ch

More information about the cisco-nsp mailing list