[c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Michael K. Smith
mksmith at adhost.com
Wed Aug 27 22:38:22 EDT 2008
Hello Mark:
Unless I'm misreading your intent, it looks like what you are trying to
accomplish is split-tunneling, such that only traffic from your
VPN-connected Windows machines and your protected net is getting tunneled,
while everything else is handled outside the tunnel. If this is correct,
take a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a008032b637.shtml
Regards,
Mike
On 8/26/08 7:01 AM, "Marc Haber" <mh+cisco-nsp at zugschlus.de> wrote:
> Hi,
>
> this is strictly a client issue and not appropriate for cisco-nsp, but
> I haven't found any mailing list with this clue level for other
> cisco-related aspects. If there is one, I'd like to learn about it.
>
> I have a bunch of Windows clients with the Cisco VPN Client
> 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as
> follows:
>
> aaa new-model
> !
> aaa authentication login default local
> aaa authentication login userauthen local
> aaa authentication login localauth local
> aaa authorization exec default local
> aaa authorization network groupauthor local
> !
> aaa session-id common
> !
> resource policy
> !
> ip cef
> !
> username marc.haber privilege 15 secret 5 <snip>
> !
> crypto isakmp policy 3
> encr aes 256
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group InternClient
> key onsh4OcyivOafmyodzet
> dns 10.1.2.11 10.1.2.15
> wins 10.1.2.11 10.1.2.15
> domain example.com
> pool ippool
> acl DefaultrouteTunnel
> !
> !
> crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac
> !
> crypto dynamic-map InternDynmap 10
> set transform-set InternTransformSet
> reverse-route
> !
> !
> crypto map InternClientMap client authentication list userauthen
> crypto map InternClientMap isakmp authorization list groupauthor
> crypto map InternClientMap client configuration address respond
> crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap
> !
> interface FastEthernet0/0
> description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
> ip address 172.26.248.10 255.255.255.248
> duplex auto
> speed auto
> crypto map InternClientMap
> !
> ip access-list extended DefaultrouteTunnel
> permit ip any any
> ip access-list extended DefaultrouteWithoutListedNetsTunnel
> deny ip 192.168.8.0 0.0.0.255 any
> permit ip any any
> !
>
> With this configuration, a client cannot communicate at all outside
> the tunnel, which is a desired feature in this setup. OTOH, some
> teleworkers would appreciate to be able to talk to their networked
> printers on the local LANs.
>
> I have received the advice of adding the local networks of all
> teleworkers to an access list, which has resulted in the
> "DefaultrouteWithoutListedNetsTunnel" ACL. But this does not seem to
> work, traffic for 192.168.8.3 still goes into the tunnel after I
> changed the acl reference in the crypto isakmp client configuration
> group InternClient. Also, I do not see any changes in the Windows
> client's routing tables.
>
> Can someone advice what I am doing wrong here? Additionally, do I
> really need to exclude all local networks of all teleworkers in the
> global configuration, or is it possible to control this on a
> per-client basis?
>
> All web-based documentation I have found deals with the VPN
> Concentrator series which do not seem to use IOS - at least I cannot
> make sense of the advice found there in my configuration.
>
> Any hints will be appreciated.
>
> Greetings
> Marc
More information about the cisco-nsp
mailing list