Re: Cico 800 (836) VPN to Internet NAT

NewsGroups | Search | Tools

User Password

Lost Password?

comp.dcom.sys.cisco

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

Re: Cico 800 (836) VPN to Internet NAT

Merv

05-11-2008

Re: Cico 800 (836) VPN to Internet NAT

HangaS

05-11-2008

Re: Cico 800 (836) VPN to Internet NAT

Merv

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

HangaS

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

Daniel-G

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

Daniel-G

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

HangaS

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

Daniel-G

05-12-2008

Re: Cico 800 (836) VPN to Internet NAT

HangaS

05-12-2008

Posted by Merv on May 11, 2008, 4:38 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> Hi,

> I've been struglin for this for a long while.

> I've done tons of searches and haven't found a solution on how to

> solve this.

> Even read all the Cisco documentation on VPDNs, but no help on this

> particular issue.

> This is my issue:

> I have this cisco 836 providing NAT for all the internal networks.

> Everything working fine.

> I also have a VPN that is working normaly for the internal networks

> only. A client connected

> to the VPN can access the internal network without problems.

> However the VPN users can't access the internet and I have no ideia

> where the packets are being droped.

> I realy wanted the VPN network to be NATed to the outside, just like

> any other internal network.

take a look at this Cisco doc

Router and VPN Client for Public Internet on a Stick Configuration
Example

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Posted by HangaS on May 11, 2008, 7:41 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hi Merv,

I have come across this doc before, but found others that introduce me
to split-tunneling.

I didn't want to use a crypto-map neither to use the Cisco VPN client.
I wanted to use the default Windows client in a next-next-finish
config maner.

Anyway I tryed to adapt the solution from this doc to my setup. I had
tryed a similar one before with the loopback interface for the split
tunnel, but the route-map had a set ip next-hop instead of a set
interface.

I did some troubleshooting and I found that the packets are being
NATed to the internet, reach the target host which sends a reply back
to the outside IP address of my router but seems that the reply is not
being traslated back to the VPN network. (altough there is an entry
for in the 'show ip nat translation' list.

Now I just read in some forum while looking for 'vpdn split tunnel'
that I can't use split tunniling with pptp? is this true?

> take a look at this Cisco doc

> Router and VPN Client for Public Internet on a Stick Configuration

> Example

> http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_config...- =

Hide quoted text -

> - Show quoted text -

Posted by Merv on May 12, 2008, 3:23 am

If you were Registered and logged in, you could reply and use other advanced thread options

> Now I just read in some forum while looking for 'vpdn split tunnel'

> that I can't use split tunniling with pptp? is this true?

I recall seeing something that said that for PPTP, split tunneling is
client controlled (i.e. not controlled central by VPN server).

also ee Cisco PPTP FAQ

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml

Q. I think I have a split tunneling issue. What should I do when a
PPTP tunnel comes up on a PC, the PPTP router has a higher metric than
the previous default, and I lose connectivity?

A. Run a batch file (batch.bat) to modify the Microsoft routing to
resolve this problem. Delete the default and reinstall the default
route (you must know the IP address that the PPTP client was assigned,
such as 192.168.1.1).

In this example, the network inside the router is 10.13.1.x.

route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1
route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric 1

==============================

Posted by HangaS on May 12, 2008, 10:12 am

If you were Registered and logged in, you could reply and use other advanced thread options

> > Now I just read in some forum while looking for 'vpdn split tunnel'

> > that I can't use split tunniling with pptp? is this true?

> I recall seeing something that said that for PPTP, split tunneling is

> client controlled (i.e. not controlled central by VPN server).

> also ee Cisco PPTP FAQ

> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_q_and_a_item...

> Q. I think I have a split tunneling issue. What should I do when a

> PPTP tunnel comes up on a PC, the PPTP router has a higher metric than

> the previous default, and I lose connectivity?

> =A0 =A0 A. Run a batch file (batch.bat) to modify the Microsoft routing to=

> resolve this problem. Delete the default and reinstall the default

> route (you must know the IP address that the PPTP client was assigned,

> such as 192.168.1.1).

> =A0 =A0 In this example, the network inside the router is 10.13.1.x.

> =A0 =A0 =A0 =A0 route delete 0.0.0.0

> =A0 =A0 =A0 =A0 route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1

> =A0 =A0 =A0 =A0 route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric =

> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

=3D=3D=3D=3D=3D=3D

Yes Marv, I think that was what I read quouted somewhere, together
with some discution on the subject.

But I think it has to do with PPTP itself. Before moving to the 836 I
had a similar setup in a Linux box running PopTop (a PPTP acess
server) and I didn't had this issue. More, I could define a default
gateway for the PPP connection, that I defined to be same default
router I use for the internal network. So I think it's some kind of
limitation on the IOS on 1) defining a default GW for a PPP connection
or 2) The IOS (or my configuration) not being able to properly NAT
traffic comming from the tunnel.

Maybe I confused the meanings. I thought that you could also "split
the tunnel" in the VPN server, matching the VPN trafic and route it to
somewhere else. And that the Loopbakc interface trick was just a way
of making the trafic look like it came from the internal network
rather then from the tunnel.

I guess I will make some tries with the L2TP/IPSEC tunnel and still
using the windows client with minimum configuration by the user.

Posted by Daniel-G on May 12, 2008, 4:38 am

If you were Registered and logged in, you could reply and use other advanced thread options

HangaS a écrit :

> Hi Merv,

> I have come across this doc before, but found others that introduce me

> to split-tunneling.

> I didn't want to use a crypto-map neither to use the Cisco VPN client.

> I wanted to use the default Windows client in a next-next-finish

> config maner.

> Anyway I tryed to adapt the solution from this doc to my setup. I had

> tryed a similar one before with the loopback interface for the split

> tunnel, but the route-map had a set ip next-hop instead of a set

> interface.

> I did some troubleshooting and I found that the packets are being

> NATed to the internet, reach the target host which sends a reply back

> to the outside IP address of my router but seems that the reply is not

> being traslated back to the VPN network. (altough there is an entry

> for in the 'show ip nat translation' list.

> Now I just read in some forum while looking for 'vpdn split tunnel'

> that I can't use split tunniling with pptp? is this true?

>> take a look at this Cisco doc

>> Router and VPN Client for Public Internet on a Stick Configuration

>> Example

>> http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_config...-

Hide quoted text -

>> - Show quoted text -

I just found it here is a sample which finds the pptp default route and
modify it
ECHO OFF
IF "%1"=="GETR" GOTO GETR
IF "%1"=="RP" GOTO RP

rem route add 192.168.62.0 mask 255.255.255.0 192.168.0.3
REM GOTO FIN
:GETR
echo ======== GETR
for /f "usebackq tokens=1-5" %%I in (`CALL %0 RP`) do (
        echo %%I %%J %%K %%L %%M
        IF %%M EQU 1 (
                echo metric = %%M for gateway %%K
                ROUTE delete 0.0.0.0 mask 0.0.0.0 %%K
REM                route add 0.0.0.0 mask 0.0.0.0 192.168.0.3
                ROUTE add 192.168.62.0 mask 255.255.255.0 %%K
                )
        )

GOTO FIN

:RP
echo ======== RP
route print | find " 0.0.0.0"
GOTO FIN

:FIN

hope it helps

Similar Threads	Posted
Cico 7206 NPE150 - I require a pcmcia Flash Card	March 29, 2007, 7:13 pm
2 sites, connected with PPP T1, internet connetion on both sides - REDUNDANT INTERNET POSSIBLE?	August 20, 2004, 3:14 pm
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet	February 27, 2007, 1:58 pm
Internet DS3	July 19, 2004, 9:34 pm
t1 to internet	August 26, 2004, 4:35 am
internet through vpn	March 28, 2005, 4:15 pm
How does the internet really look like ?	October 5, 2005, 11:47 pm
Pix-to-Pix & Internet	May 22, 2006, 11:43 am
One ftp server, 3 internet IP	June 10, 2005, 1:59 pm
One ftp server, 3 internet IP	June 10, 2005, 1:59 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com