- Cico 800 (836) VPN to Internet NAT
- Posted by HangaS on May 11th, 2008
Hi,
I've been struglin for this for a long while.
I've done tons of searches and haven't found a solution on how to
solve this.
Even read all the Cisco documentation on VPDNs, but no help on this
particular issue.
This is my issue:
I have this cisco 836 providing NAT for all the internal networks.
Everything working fine.
I also have a VPN that is working normaly for the internal networks
only. A client connected
to the VPN can access the internal network without problems.
However the VPN users can't access the internet and I have no ideia
where the packets are being droped.
I realy wanted the VPN network to be NATed to the outside, just like
any other internal network.
But I even tryed to route the VPN network to another router on the
internal network, but the default GW didn't change on the client side.
This is the current config:
c836# show running-config
Building configuration...
Current configuration : 10291 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname c836
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Z98Y$LdV8s.N4ptl1VtFSITBtE.
!
no aaa new-model
no ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool VPNPOOL
network 172.19.0.0 255.255.0.0
domain-name vpn.lan
dns-server 192.168.1.253
default-router 192.168.200.2
lease 30
!
!
no ip cef
ip name-server 212.18.160.133
no ip bootp server
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
isdn switch-type basic-net3
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
username USER password 7 XXXXXXXXXXXXXXXXX
!
!
!
!
!
interface Ethernet0
description --- 10Mbps connection to LAN ---
ip address 172.16.0.1 255.255.0.0
ip access-group 112 in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet2
description --- Connection to Cisco 877 ---
ip address 192.168.200.1 255.255.255.0
ip access-group 112 in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface BRI0
no ip address
encapsulation hdlc
isdn switch-type basic-net3
isdn point-to-point-setup
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode etsi
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
description --- PPTP VPN access interface ---
ip unnumbered Ethernet2
ip nat inside
ip virtual-reassembly
ip route-cache flow
peer default ip address dhcp-pool VPNPOOL
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
interface Dialer1
ip address negotiated
ip access-group FROMINET in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name VDF
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXX password 7
XXXXXXXXXXXXXXXXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.18.0.0 255.255.0.0 192.168.200.2
ip route 192.168.1.0 255.255.255.0 192.168.200.2
ip route 192.168.2.0 255.255.255.0 192.168.200.2
ip route 192.168.3.0 255.255.255.0 192.168.200.2
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source route-map NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.3.10 80 x.y.z.106 25
extendable
ip nat inside source static tcp 192.168.1.253 80 x.y.z.106 80
extendable
ip nat inside source static tcp 192.168.1.253 80 z.y.z.106 443
extendable
!
!
ip access-list extended FROMINET
remark Filter Traffic from INET
permit ip any any
permit gre any any
!
ip access-list extended INTERNAL
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.18.0.0 0.0.255.255 any
permit ip 172.19.0.0 0.0.255.255 any
!
access-list 112 permit tcp host 192.168.3.10 any eq smtp
access-list 112 deny tcp any any eq smtp
access-list 112 permit ip any any
no cdp run
!
route-map NAT permit 10
match ip address INTERNAL
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
line vty 5 15
privilege level 15
login
transport input telnet
!
scheduler max-task-time 5000
no rcapi server
!
!
end
Connected client info:
PPP adapter VPN:
Connection-specific DNS Suffix . : vpn.lan
Description . . . . . . . . . . . : VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.19.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.1.253
212.18.160.133
NetBIOS over Tcpip. . . . . . . . : Enabled
Any tips?
- Posted by Merv on May 11th, 2008
On May 11, 3:41 pm, HangaS <mafo...@gmail.com> wrote:
take a look at this Cisco doc
Router and VPN Client for Public Internet on a Stick Configuration
Example
http://www.cisco.com/en/US/products/...73b06b.sht ml
- Posted by HangaS on May 11th, 2008
Hi Merv,
I have come across this doc before, but found others that introduce me
to split-tunneling.
I didn't want to use a crypto-map neither to use the Cisco VPN client.
I wanted to use the default Windows client in a next-next-finish
config maner.
Anyway I tryed to adapt the solution from this doc to my setup. I had
tryed a similar one before with the loopback interface for the split
tunnel, but the route-map had a set ip next-hop instead of a set
interface.
I did some troubleshooting and I found that the packets are being
NATed to the internet, reach the target host which sends a reply back
to the outside IP address of my router but seems that the reply is not
being traslated back to the VPN network. (altough there is an entry
for in the 'show ip nat translation' list.
Now I just read in some forum while looking for 'vpdn split tunnel'
that I can't use split tunniling with pptp? is this true?
On May 11, 9:38*pm, Merv <merv.hr...@rogers.com> wrote:
- Posted by Merv on May 12th, 2008
I recall seeing something that said that for PPTP, split tunneling is
client controlled (i.e. not controlled central by VPN server).
also ee Cisco PPTP FAQ
http://www.cisco.com/en/US/tech/tk82...800946ef.shtml
Q. I think I have a split tunneling issue. What should I do when a
PPTP tunnel comes up on a PC, the PPTP router has a higher metric than
the previous default, and I lose connectivity?
A. Run a batch file (batch.bat) to modify the Microsoft routing to
resolve this problem. Delete the default and reinstall the default
route (you must know the IP address that the PPTP client was assigned,
such as 192.168.1.1).
In this example, the network inside the router is 10.13.1.x.
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1
route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric 1
==============================
- Posted by Daniel-G on May 12th, 2008
HangaS a écrit :
modify it
ECHO OFF
IF "%1"=="GETR" GOTO GETR
IF "%1"=="RP" GOTO RP
rem route add 192.168.62.0 mask 255.255.255.0 192.168.0.3
REM GOTO FIN
:GETR
echo ======== GETR
for /f "usebackq tokens=1-5" %%I in (`CALL %0 RP`) do (
echo %%I %%J %%K %%L %%M
IF %%M EQU 1 (
echo metric = %%M for gateway %%K
ROUTE delete 0.0.0.0 mask 0.0.0.0 %%K
REM route add 0.0.0.0 mask 0.0.0.0 192.168.0.3
ROUTE add 192.168.62.0 mask 255.255.255.0 %%K
)
)
GOTO FIN
:RP
echo ======== RP
route print | find " 0.0.0.0"
GOTO FIN
:FIN
hope it helps
- Posted by Daniel-G on May 12th, 2008
Merv a écrit :
HangaS a écrit :
Hide quoted text -
the vpn client to manage access w/wo a policy pushed by the routeur
(tunnel end point on branch side)
You have to manage static routes on the client side, as with pptp the
default gw alwaysdefaults to the pptp address (make a route print on
your client)
I hab a batch to modify it. I'll try to find quickly and post it here
Hope this helps
Daniel
- Posted by HangaS on May 12th, 2008
On May 12, 8:23*am, Merv <merv.hr...@rogers.com> wrote:
Yes Marv, I think that was what I read quouted somewhere, together
with some discution on the subject.
But I think it has to do with PPTP itself. Before moving to the 836 I
had a similar setup in a Linux box running PopTop (a PPTP acess
server) and I didn't had this issue. More, I could define a default
gateway for the PPP connection, that I defined to be same default
router I use for the internal network. So I think it's some kind of
limitation on the IOS on 1) defining a default GW for a PPP connection
or 2) The IOS (or my configuration) not being able to properly NAT
traffic comming from the tunnel.
Maybe I confused the meanings. I thought that you could also "split
the tunnel" in the VPN server, matching the VPN trafic and route it to
somewhere else. And that the Loopbakc interface trick was just a way
of making the trafic look like it came from the internal network
rather then from the tunnel.
I guess I will make some tries with the L2TP/IPSEC tunnel and still
using the windows client with minimum configuration by the user.
- Posted by HangaS on May 12th, 2008
On May 12, 9:43*am, Daniel-G <free-news_no-replyATcasylde.fr> wrote:
Hi danniel.
Thxs by the routing rules.
I realy wanted to avoid messing with the clients config, as it is a
bit cumbersome to make about 50 users change their configs.
I also wanted to avoid using the Cisco VPN client. But if I recalled
correcly, I can push the routing configuration from the server to the
Cisco client, making the configuration on the client easyer for me and
for the users. So this may be a way out for me.
Be prefered scenario would be making the VPN traffic to NAT correctly,
I'll will spend some more time on this solution. Unless someone says
"I can't be done!"
- Posted by Daniel-G on May 12th, 2008
HangaS a écrit :
client.
With a vpn client you can have it launched by openning a session and it
can manage split tunnelings and all the policies you have setup.
From my experience using pptp meant:
1- have the user launch the connection in the network panel
2- have him launching a batch to modify routes
I couldn't find a way to launch both operations in a batch (with netsh
for example)
Deploying the vpn client is rather simple as you can setup an ini file
ready to be imported in the Cisco vpn client
It can also be used to open a session (to be exhaustive, there might be
means to open a session with pptp as well, therefore you could think of
launching an open session batch under 2K or XP)
The only 2 ways I know for both types of clients to be launched is
either at session openning or by launching it from the network panel.
Hope this helps
- Posted by HangaS on May 12th, 2008
On May 12, 7:10*pm, Daniel-G <free-news_no-replyATcasylde.fr> wrote:
Hi Daniel,
Yes I'm starting to share my opinion with you. I built some resistence
about using the Cisco client since I was unable to connect to this
particular VPN (not controled by me) that required the intgrated
firewal to be running, and the Vista version of Cisco VPN client no
longer comes with the Integrated Firewall feature.I like the ideia of
the .ini file
Thanks for you feedback. I think cisco VPN client is becoming the way
to go. I will do some tests with it.
