[c-nsp] Cisco Software Client -> Router VPN issue.

Brian Stiff (bstiff) bstiff at cisco.com
Tue Jan 6 17:45:09 EST 2009


Hi Chris-

Your guess that NAT (or rather, lack thereof) is playing a part in this
problem is correct.  To offer Internet connectivity via the hub site for
VPN users, you'll need to apply a "NAT on a stick" configuration for the
VPN clients' traffic.  Refer to this doc for some background:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080094430.shtml

You'll need to modify the configuration described in the doc such that
the policy route will forward the traffic through a loopback configured
as "nat inside", so that the Internet-bound traffic will be handled
properly by NAT. 

Otherwise, split tunneling should fit the bill fine, if you don't care
what users are doing on the Internet, and you're not worried about what
the Internet is doing to/with VPN client PCs.

Regards,
-B


Brian Stiff
720.562.6462
Technical Marketing Engineer
IOS & Router Security Mktg
http://www.cisco.com/go/iossecurity

Date: Mon, 05 Jan 2009 08:38:02 -0700
From: Networkers <cisco at peakpeak.com>
Subject: [c-nsp] Cisco Software Client -> Router VPN issue.
To: <cisco-nsp at puck.nether.net>
Message-ID: <C587776A.32DC7%cisco at peakpeak.com>
Content-Type: text/plain;	charset="ISO-8859-1"

I?m trying to solve a problem with setting up the remote VPN access
using the Cisco VPN software client.  I have gotten it to the point
where a user can remotely tunnel to the router from their Doze PC, log
in, receive an IP in the 10.x.x.x network, and ping something on the
192.168.100.x network.

However, they can?t surf to the outside internet over that tunneld
connection. 

I?ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn?t get NATed properly, but
I?m unsure on what to do to the config to fix this.  Normal
192.168.100.x Ethernet-connected PCs in the home office can surf and do
everything just fine.



More information about the cisco-nsp mailing list