1. Home
  2. Cisco Systems
  3. Cico 800 (836) VPN to Internet NAT

Cico 800 (836) VPN to Internet NAT

Hi,

I've been struglin for this for a long while. I've done tons of searches and haven't found a solution on how to solve this. Even read all the Cisco documentation on VPDNs, but no help on this particular issue.

This is my issue:

I have this cisco 836 providing NAT for all the internal networks. Everything working fine. I also have a VPN that is working normaly for the internal networks only. A client connected to the VPN can access the internal network without problems.

However the VPN users can't access the internet and I have no ideia where the packets are being droped. I realy wanted the VPN network to be NATed to the outside, just like any other internal network.

But I even tryed to route the VPN network to another router on the internal network, but the default GW didn't change on the client side.

This is the current config:

c836# show running-config Building configuration...

Current configuration : 10291 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname c836 ! boot-start-marker boot-end-marker ! enable secret 5 $1$Z98Y$LdV8s.N4ptl1VtFSITBtE. ! no aaa new-model no ip source-route ! ! no ip dhcp use vrf connected ! ip dhcp pool VPNPOOL network 172.19.0.0 255.255.0.0 domain-name vpn.lan dns-server 192.168.1.253 default-router 192.168.200.2 lease 30 ! ! no ip cef ip name-server 212.18.160.133 no ip bootp server vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! isdn switch-type basic-net3 ! ! username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX username USER password 7 XXXXXXXXXXXXXXXXX ! ! ! ! ! interface Ethernet0 description --- 10Mbps connection to LAN --- ip address 172.16.0.1 255.255.0.0 ip access-group 112 in ip nat inside ip virtual-reassembly no cdp enable ! interface Ethernet2 description --- Connection to Cisco 877 --- ip address 192.168.200.1 255.255.255.0 ip access-group 112 in ip nat inside ip virtual-reassembly no cdp enable ! interface BRI0 no ip address encapsulation hdlc isdn switch-type basic-net3 isdn point-to-point-setup ! interface ATM0 no ip address atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode etsi pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-Template1 description --- PPTP VPN access interface --- ip unnumbered Ethernet2 ip nat inside ip virtual-reassembly ip route-cache flow peer default ip address dhcp-pool VPNPOOL no keepalive ppp encrypt mppe 128 ppp authentication ms-chap-v2 ! interface Dialer1 ip address negotiated ip access-group FROMINET in ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer remote-name VDF dialer-group 1 no cdp enable ppp authentication pap chap callin ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ppp chap password 7 XXXXXXXXXXXXXXXXXX ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXX !

ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 172.18.0.0 255.255.0.0 192.168.200.2 ip route 192.168.1.0 255.255.255.0 192.168.200.2 ip route 192.168.2.0 255.255.255.0 192.168.200.2 ip route 192.168.3.0 255.255.255.0 192.168.200.2 ! no ip http server no ip http secure-server ! no ip nat service sip udp port 5060 ip nat inside source route-map NAT interface Dialer1 overload ip nat inside source static tcp 192.168.3.10 80 x.y.z.106 25 extendable ip nat inside source static tcp 192.168.1.253 80 x.y.z.106 80 extendable ip nat inside source static tcp 192.168.1.253 80 z.y.z.106 443 extendable ! ! ip access-list extended FROMINET remark Filter Traffic from INET permit ip any any permit gre any any ! ip access-list extended INTERNAL permit ip 192.168.0.0 0.0.255.255 any permit ip 172.18.0.0 0.0.255.255 any permit ip 172.19.0.0 0.0.255.255 any ! access-list 112 permit tcp host 192.168.3.10 any eq smtp access-list 112 deny tcp any any eq smtp access-list 112 permit ip any any no cdp run ! route-map NAT permit 10 match ip address INTERNAL ! ! control-plane ! ! line con 0 exec-timeout 120 0 login local no modem enable stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 line vty 5 15 privilege level 15 login transport input telnet ! scheduler max-task-time 5000 no rcapi server ! ! end

Connected client info:

PPP adapter VPN:

Connection-specific DNS Suffix . : vpn.lan Description . . . . . . . . . . . : VPN Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.19.0.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 192.168.1.253 212.18.160.133 NetBIOS over Tcpip. . . . . . . . : Enabled

Any tips?

Reply to
HangaS
Loading thread data ...

take a look at this Cisco doc

Router and VPN Client for Public Internet on a Stick Configuration Example

formatting link

Reply to
Merv

Hi Merv,

I have come across this doc before, but found others that introduce me to split-tunneling.

I didn't want to use a crypto-map neither to use the Cisco VPN client. I wanted to use the default Windows client in a next-next-finish config maner.

Anyway I tryed to adapt the solution from this doc to my setup. I had tryed a similar one before with the loopback interface for the split tunnel, but the route-map had a set ip next-hop instead of a set interface.

I did some troubleshooting and I found that the packets are being NATed to the internet, reach the target host which sends a reply back to the outside IP address of my router but seems that the reply is not being traslated back to the VPN network. (altough there is an entry for in the 'show ip nat translation' list.

Now I just read in some forum while looking for 'vpdn split tunnel' that I can't use split tunniling with pptp? is this true?

Hide quoted text -

Reply to
HangaS

I recall seeing something that said that for PPTP, split tunneling is client controlled (i.e. not controlled central by VPN server).

also ee Cisco PPTP FAQ

formatting link
Q. I think I have a split tunneling issue. What should I do when a PPTP tunnel comes up on a PC, the PPTP router has a higher metric than the previous default, and I lose connectivity?

A. Run a batch file (batch.bat) to modify the Microsoft routing to resolve this problem. Delete the default and reinstall the default route (you must know the IP address that the PPTP client was assigned, such as 192.168.1.1).

In this example, the network inside the router is 10.13.1.x.

route delete 0.0.0.0 route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1 route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric 1

==============================

Reply to
Merv

HangaS a écrit :

I just found it here is a sample which finds the pptp default route and modify it ECHO OFF IF "%1"=="GETR" GOTO GETR IF "%1"=="RP" GOTO RP

rem route add 192.168.62.0 mask 255.255.255.0 192.168.0.3 REM GOTO FIN :GETR echo ======== GETR for /f "usebackq tokens=1-5" %%I in (`CALL %0 RP`) do ( echo %%I %%J %%K %%L %%M IF %%M EQU 1 ( echo metric = %%M for gateway %%K ROUTE delete 0.0.0.0 mask 0.0.0.0 %%K REM route add 0.0.0.0 mask 0.0.0.0 192.168.0.3 ROUTE add 192.168.62.0 mask 255.255.255.0 %%K ) )

GOTO FIN

:RP echo ======== RP route print | find " 0.0.0.0" GOTO FIN

:FIN

hope it helps

Reply to
Daniel-G

formatting link

I posted this early in the morning : HangaS a écrit : > Hi Merv, >

Split tunneling can't be set with pptp as it is the responsability of the vpn client to manage access w/wo a policy pushed by the routeur (tunnel end point on branch side) You have to manage static routes on the client side, as with pptp the default gw alwaysdefaults to the pptp address (make a route print on your client) I hab a batch to modify it. I'll try to find quickly and post it here

Hope this helps

Daniel

Reply to
Daniel-G

=3D=3D=3D=3D=3D=3D

Yes Marv, I think that was what I read quouted somewhere, together with some discution on the subject.

But I think it has to do with PPTP itself. Before moving to the 836 I had a similar setup in a Linux box running PopTop (a PPTP acess server) and I didn't had this issue. More, I could define a default gateway for the PPP connection, that I defined to be same default router I use for the internal network. So I think it's some kind of limitation on the IOS on 1) defining a default GW for a PPP connection or 2) The IOS (or my configuration) not being able to properly NAT traffic comming from the tunnel.

Maybe I confused the meanings. I thought that you could also "split the tunnel" in the VPN server, matching the VPN trafic and route it to somewhere else. And that the Loopbakc interface trick was just a way of making the trafic look like it came from the internal network rather then from the tunnel.

I guess I will make some tries with the L2TP/IPSEC tunnel and still using the windows client with minimum configuration by the user.

Reply to
HangaS

Hi danniel.

Thxs by the routing rules. I realy wanted to avoid messing with the clients config, as it is a bit cumbersome to make about 50 users change their configs.

I also wanted to avoid using the Cisco VPN client. But if I recalled correcly, I can push the routing configuration from the server to the Cisco client, making the configuration on the client easyer for me and for the users. So this may be a way out for me.

Be prefered scenario would be making the VPN traffic to NAT correctly, I'll will spend some more time on this solution. Unless someone says "I can't be done!"

Reply to
HangaS

I confirm the only way to push a policy to the end client is using a vpn client. With a vpn client you can have it launched by openning a session and it can manage split tunnelings and all the policies you have setup.

From my experience using pptp meant:

1- have the user launch the connection in the network panel 2- have him launching a batch to modify routes

I couldn't find a way to launch both operations in a batch (with netsh for example) Deploying the vpn client is rather simple as you can setup an ini file ready to be imported in the Cisco vpn client It can also be used to open a session (to be exhaustive, there might be means to open a session with pptp as well, therefore you could think of launching an open session batch under 2K or XP)

The only 2 ways I know for both types of clients to be launched is either at session openning or by launching it from the network panel.

Hope this helps

Reply to
Daniel-G

Hi Daniel,

Yes I'm starting to share my opinion with you. I built some resistence about using the Cisco client since I was unable to connect to this particular VPN (not controled by me) that required the intgrated firewal to be running, and the Vista version of Cisco VPN client no longer comes with the Integrated Firewall feature.I like the ideia of the .ini file Thanks for you feedback. I think cisco VPN client is becoming the way to go. I will do some tests with it.

Reply to
HangaS

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.