In response to a recent comment regarding my Connect to Cisco 851 with Cisco VPN Client post from a couple years back the following code is a revision that includes split tunneling support and updated comments within the code. If the VPN client appears to connect successfully but you are unable to access network devices then the following tips may help.
- Check, review the access-lists paying special attention to the one that corresponds to your route map. The first line of your route-map access-list should be a deny statement relating to the designated vpn subnet. This line sends VPN client sourced traffic back to your connecting machine.
- Ensure the name of your route-map is referenced correctly in your outside interface ip nat statement
- Confirm ip nat inside and ip nat outside commands are on the appropriate interfaces
The code below is from a working production environment.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DEMO851w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login demousers local
aaa authorization network demogroup local
!
aaa session-id common
!
resource policy
!
clock timezone Hawaii -10
ip subnet-zero
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp <consider removing this line for Exchange 2007 compatibility>
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name domain.local
ip name-server <internal dns>
!
username sysadmin privilege 15 secret 5 <password hash>
<add more vpn users here>
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group demogroup <VPN client Group Authentication name>
key <group passphrase for vpn client>
dns <internal dns>
domain domain.local
pool dynpool
acl 105
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
crypto map dynmap client authentication list demousers
crypto map dynmap isakmp authorization list demogroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** WAN **
ip address <external ip> 255.255.255.x
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map dynmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid AP851G
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 <password>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool dynpool 192.168.15.1 192.168.15.5
ip classless
ip route 0.0.0.0 0.0.0.0 <isp gateway>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp <internal server> 25 <external ip> 25 extendable
ip nat inside source static tcp <internal server> 80 <external ip> 80 extendable
ip nat inside source static tcp <internal server> 443 <external ip> 443 extendable
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark ** Permit Inbound IPSEC Traffic & Split Tunnel **
access-list 101 permit ip host 192.168.15.1 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.5 192.168.1.0 0.0.0.255
access-list 101 permit udp any host <external ip> eq non500-isakmp
access-list 101 permit udp any host <external ip>
access-list 101 permit esp any host <external ip>
access-list 101 permit ahp any host <external ip>
access-list 101 remark ** Block Telnet **
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Deny netbios from the internet **
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host <external ip> eq smtp
access-list 101 permit tcp any host <external ip> eq www
access-list 101 permit tcp any host <external ip> eq 443
access-list 101 permit udp any host <external ip> eq ntp
access-list 101 deny ip any host <external ip>
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community public RO
no cdp run
route-map nonat permit 10
match ip address 110
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175022
ntp server 140.31.199.8 prefer
end
DEMO851w#
Comments questions welcomed.
; "Network Composer")
; "Spam Relief")
; "Virtual Server 2008")
; "Video Wall BSOD")
Leave a comment