Quick overview. My LAN is 192.168.0.X. VPN client pool is 192.168.1.100-110.
My router has the following configuration:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 Jlks92jlkj344lk$jwllGhikXt60
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login vpnclient local
aaa authorization exec local_author local
aaa authorization network clientgroup local
!
aaa session-id common
!
resource policy
!
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.149
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 68.105.28.14 68.105.29.14
default-router 192.168.0.1
lease 3
!
!
ip cef
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.local
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4283244843
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4283244843
revocation-check none
rsakeypair TP-self-signed-4283244843
!
!
crypto pki certificate chain TP-self-signed-3283233843
certificate self-signed 01
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383332
34343834 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A47F 3C91E39F D5EC3996 9E90D210 F28B5CC2 FD650A6B 919156DE 942A0E4B
3775243A 8D056BF8 FF1201F9 FA631C5B 1194DA12 88CA8708 0F0ED658 0183D99A
22959BBC 04003D17 72F2AEC4 D99061FF 2F46EBE5 1E3D4CDF DD447EDD A07D6395
187DC779 B547A034 6B6D4648 A5B00E8D AF51FF5D 1F0694A1 9CFDD298 CB9AC0AD
25CF0203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
551D1104 23302182 1F77696C 64636174 66656564 732E7769 6C646361 74666565
64732E6C 6F63616C 301F0603 551D2304 18301680 14E499FB BFBB7653 1E6E7BE8
quit
username user privilege 15 secret 5 kljlkjL$lkj$$.$$LKJlkjlksjdlssdsdfaaa
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group groupname
key keyname
domain domain.local
pool mypool
acl 120
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1000
set transform-set ESP-3DES-MD5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list vpnclient
crypto map SDM_CMAP_1 isakmp authorization list clientgroup
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65000 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 123.123.123.123 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool mypool 192.168.1.100 192.168.1.110
ip classless
ip route 0.0.0.0 0.0.0.0 123.123.123.124
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.10 3390 123.123.123.123 3390 extendable
!
logging trap debugging
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any host 123.123.123.1236 eq isakmp
access-list 101 permit udp any host123.123.123.123 eq non500-isakmp
access-list 101 permit esp any host 123.123.123.123
access-list 101 permit udp any eq domain host 123.123.123.123
access-list 101 permit udp any eq domain host 123.123.123.123
access-list 101 deny ip any any log
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
acl 120 is used to create a split level tunnel. When a client connects they get assigned an address from the mypool pool. Any traffic from the client destined for network 192.168.0.X get sent over the tunnel while all other traffic from the client leaves the clients standard default gateway. If you remove acl 120 then the vpn client is supposed to route all traffic over the vpn tunnel. When I try that the vpn client can still get to the 192.168.0.X network but nothing beyond that.
Any ideas?
My router has the following configuration:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 Jlks92jlkj344lk$jwllGhikXt60
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login vpnclient local
aaa authorization exec local_author local
aaa authorization network clientgroup local
!
aaa session-id common
!
resource policy
!
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.149
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 68.105.28.14 68.105.29.14
default-router 192.168.0.1
lease 3
!
!
ip cef
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.local
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4283244843
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4283244843
revocation-check none
rsakeypair TP-self-signed-4283244843
!
!
crypto pki certificate chain TP-self-signed-3283233843
certificate self-signed 01
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383332
34343834 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A47F 3C91E39F D5EC3996 9E90D210 F28B5CC2 FD650A6B 919156DE 942A0E4B
3775243A 8D056BF8 FF1201F9 FA631C5B 1194DA12 88CA8708 0F0ED658 0183D99A
22959BBC 04003D17 72F2AEC4 D99061FF 2F46EBE5 1E3D4CDF DD447EDD A07D6395
187DC779 B547A034 6B6D4648 A5B00E8D AF51FF5D 1F0694A1 9CFDD298 CB9AC0AD
25CF0203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
551D1104 23302182 1F77696C 64636174 66656564 732E7769 6C646361 74666565
64732E6C 6F63616C 301F0603 551D2304 18301680 14E499FB BFBB7653 1E6E7BE8
quit
username user privilege 15 secret 5 kljlkjL$lkj$$.$$LKJlkjlksjdlssdsdfaaa
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group groupname
key keyname
domain domain.local
pool mypool
acl 120
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1000
set transform-set ESP-3DES-MD5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list vpnclient
crypto map SDM_CMAP_1 isakmp authorization list clientgroup
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65000 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 123.123.123.123 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool mypool 192.168.1.100 192.168.1.110
ip classless
ip route 0.0.0.0 0.0.0.0 123.123.123.124
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.10 3390 123.123.123.123 3390 extendable
!
logging trap debugging
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any host 123.123.123.1236 eq isakmp
access-list 101 permit udp any host123.123.123.123 eq non500-isakmp
access-list 101 permit esp any host 123.123.123.123
access-list 101 permit udp any eq domain host 123.123.123.123
access-list 101 permit udp any eq domain host 123.123.123.123
access-list 101 deny ip any any log
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
acl 120 is used to create a split level tunnel. When a client connects they get assigned an address from the mypool pool. Any traffic from the client destined for network 192.168.0.X get sent over the tunnel while all other traffic from the client leaves the clients standard default gateway. If you remove acl 120 then the vpn client is supposed to route all traffic over the vpn tunnel. When I try that the vpn client can still get to the 192.168.0.X network but nothing beyond that.
Any ideas?
Facebook
Twitter