Options
Local Lan Access disabled when Split tunneling enabled?
loboernesto
Member Posts: 94 ■■□□□□□□□□
in CCNP
Does anyone know why "Allow Local Lan Access" gets disabled in the cisco vpn client whenever I specified a network in the ACL that matches the ACL in the configuration of my crypto isakmp group?
I want to limit the traffic that is encrypted to only the one directed to the internal network behind the VPN server, split-tunneling right?
I am running c850-advsecurityk9-mz.124-9.T.bin on a 851 with minimal configuration (posted at the bottom) actinc as a VPN server.
Exampe:
If I specify an ACL to be used for spli tunneling in my config:
And have an ACL that matches the networks reachable behind the VPN server from the ip addresses that I am assigning with the pool:
Then the client shows no Local Lan Routes in the tab of "Statistics---Route Details"
If I disable the ACL command in the crypto group or don't specifie any address to match with tha ACL then I can see the Local Lan in the client with no problems.
Does anyone have any idea? config posted below.
I want to limit the traffic that is encrypted to only the one directed to the internal network behind the VPN server, split-tunneling right?
I am running c850-advsecurityk9-mz.124-9.T.bin on a 851 with minimal configuration (posted at the bottom) actinc as a VPN server.
Exampe:
If I specify an ACL to be used for spli tunneling in my config:
crypto isakmp client configuration group remoteusers
key somekey
dns 194.168.4.100 194.168.8.100
pool vpnpool
acl 199
include-local-lan
And have an ACL that matches the networks reachable behind the VPN server from the ip addresses that I am assigning with the pool:
access-list 199 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Then the client shows no Local Lan Routes in the tab of "Statistics---Route Details"
If I disable the ACL command in the crypto group or don't specifie any address to match with tha ACL then I can see the Local Lan in the client with no problems.
Does anyone have any idea? config posted below.
Building configuration...
Current configuration : 3656 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TR5ESU
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$4eya$G7uduRmpKycZOwi0syvJa0
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool lan1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1 255.255.255.0
dns-server 10.0.0.1 194.168.4.100 194.168.8.100
!
!
ip cef
ip domain name domain.com
!
!
!
username admin privilege 15 secret xxxxxx
username remote1 privilege 0 password xxxxxxx
username remote2 privilege 0 password xxxxxxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remoteusers
key xxxxxxx
dns 194.168.4.100 194.168.8.100
pool vpnpool
acl 199
include-local-lan
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list clientauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip access-group ACL_IN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip local pool vpnpool 192.168.1.2 192.168.1.100
ip route 0.0.0.0 0.0.0.0 dhcp
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended ACL_IN
remark WWW
permit tcp any any eq smtp
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any established
permit udp any any eq 5060
permit udp any any range 16384 16482
remark vpn
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit icmp any any echo-reply
deny icmp any any
!
access-list 100 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 deny ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password xxxxx
!
scheduler max-task-time 5000
end
Comments
-
Optionsnice343
Member Posts: 391
have you tried checking on cisco.comMy daily blog about IT and tech stuff
http://techintuition.com/ -
Optionsloboernesto
Member Posts: 94 ■■□□□□□□□□
Hi,
Thanks for replying.
I think I have solved it, I had "Include-local lan" and a acl for split tunneling for enabled on the client group configuration. I disabled "include-local-lan" and it works like a charm!.
crypto isakmp client configuration group remoteusers
key somekey
dns 194.168.4.100 194.168.8.100
pool vpnpool
acl 199
include-local-lan <-- disabled this and it works.