[c-nsp] Cisco Software Client -> Router VPN issue.
Luan Nguyen
luan at netcraftsmen.net
Mon Jan 5 12:35:58 EST 2009
Uhm, that's split-tunneling.
If you want to use internet at the router site then follow this guide:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a008073b06b.shtml
Regards,
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] luan at netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen
Sent: Monday, January 05, 2009 12:09 PM
To: 'Networkers'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco Software Client -> Router VPN issue.
Create ACL 101 permit 10.0.0.0 0.0.0.255 any
Then under the " crypto isakmp client configuration group SomeVPN"
Add "ACL 101"
Regards,
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] luan at netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers
Sent: Monday, January 05, 2009 10:38 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco Software Client -> Router VPN issue.
I¹m trying to solve a problem with setting up the remote VPN access using
the Cisco VPN software client. I have gotten it to the point where a user
can remotely tunnel to the router from their Doze PC, log in, receive an
IP in the 10.x.x.x network, and ping something on the 192.168.100.x
network.
However, they can¹t surf to the outside internet over that tunneld
connection.
I¹ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn¹t get NATed properly, but
I¹m unsure on what to do to the config to fix this. Normal 192.168.100.x
Ethernet-connected PCs in the home office can surf and do everything just
fine.
Can someone offer a tidbit?
Thanks!
Chris
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
username somebody password 0 my_password
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group SomeVPN
key my_key
pool ourpool
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec transform-set trans2 esp-des esp-sha-hmac
crypto ipsec transform-set trans3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans3
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
description Office LAN
ip address 192.168.100.100 255.255.255.0
ip nat inside
no ip mroute-cache
!
interface Serial0/0
ip address my_ip 255.255.255.252
ip nat outside
crypto map intmap
!
ip local pool ourpool 10.0.0.1 10.0.0.254
ip default-gateway upstream_ip
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended NATRules
deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
!
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
route-map nonat permit 11
match ip address NATRules
!
end
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list