Complex configuration using Bridge IRB, NAT, VPN, ACL on cisco router(long)

Discussion in 'Cisco' started by Alexandre, Oct 17, 2003.

  1. Alexandre

    Alexandre Guest

    Hi all,

    I have a XXX.XXX.XXX.224/29 public network with DSL Line.
    I use a Cisco router behind DSL modem.

    The cisco is configured with bridge irb BVI interface to manage
    FastEthernet0/0 interface connected to DSL modem and FastEthernet1/1
    connected to DMZ network.

    The cisco is local network gateway using NAT on FastEthernet1/0.

    I have to add VPN configuration to give access from home users to local
    network with Cisco VPN client on their home box.

    All this is working fine except trouble with home users vpn.
    I used "Configure Cisco VPN Client-Easy VPN Server, Xauth, Split Tunnel"
    exemple to setup all this.

    The vpn sessions are working but home users cannot access local network
    due to access-list on BVI interface but packet should come through IPSec
    tunnel ...

    Sorry for my english and thank to people who give time to read my post.
    Here is my cisco configuration :

    spirou#show running-config
    Building configuration...

    Current configuration : 5198 bytes
    !
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname spirou
    !
    logging queue-limit 100
    logging buffered 51200 warnings
    enable secret 5 xxxxxxxxx
    enable password 7 xxxxxx
    !
    username xxxxxx privilege 15 password 7 086B67630A1016141D2D3E
    username xxxxxx password 7 030752180500
    aaa new-model
    !
    !
    aaa authentication login userlist local
    aaa authorization network vpn-clients local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 smtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip inspect name DEFAULT100 icmp
    ip inspect name dmzinspect ftp
    ip inspect name dmzinspect tcp
    ip inspect name dmzinspect udp
    ip audit notify log
    ip audit po max-events 100
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local vpn-pool
    crypto isakmp xauth timeout 60

    !
    crypto isakmp client configuration group vpn-clients
    key XXXXXXXXX
    pool vpn-pool
    acl 150
    !
    !
    crypto ipsec transform-set myset1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map vpn-map 1
    set transform-set myset1
    reverse-route
    !
    !
    crypto map vpn-map client authentication list userlist
    crypto map vpn-map isakmp authorization list vpn-clients
    crypto map vpn-map client configuration address respond
    crypto map vpn-map 1 ipsec-isakmp dynamic vpn-map
    !

    !
    no voice hpi capture buffer
    no voice hpi capture destination
    !
    !
    mta receive maximum-recipients 0
    !
    bridge irb
    !
    !
    interface FastEthernet0/0
    description $FW_OUTSIDE$$ETH-WAN$
    no ip address
    no ip mroute-cache
    duplex auto
    speed auto
    bridge-group 29
    !
    interface FastEthernet0/1
    no ip address
    no ip mroute-cache
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    description $FW_INSIDE$$ETH-LAN$
    ip address 192.168.67.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip inspect DEFAULT100 in
    no ip mroute-cache
    duplex auto
    speed auto
    !
    interface FastEthernet1/1
    description $FW_DMZ$$ETH-LAN$
    no ip address
    no ip mroute-cache
    duplex auto
    speed auto
    bridge-group 29
    !
    interface BVI29
    ip address XXX.XXX.XXX.226 255.255.255.248
    ip access-group 102 in
    no ip redirects
    ip nat outside
    ip inspect dmzinspect in
    crypto map vpn-map
    !
    ip local pool vpn-pool 192.168.67.230 192.168.67.240
    ip default-gateway XXX.XXX.XXX.225
    ip nat inside source list 199 interface BVI29 overload
    ip http server
    ip http authentication local
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.225
    !
    !
    access-list 100 deny ip XXX.XXX.XXX.224 0.0.0.7 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 102 deny ip host 255.255.255.255 any log
    access-list 102 deny ip host 0.0.0.0 any log
    access-list 102 permit esp any host XXX.XXX.XXX.226
    access-list 102 permit udp any eq isakmp host XXX.XXX.XXX.226 eq isakmp
    access-list 102 permit udp host 195.114.64.193 host XXX.XXX.XXX.226 eq ntp
    access-list 102 deny ip any host XXX.XXX.XXX.226 log
    access-list 102 permit udp XXX.XXX.XXX.224 0.0.0.7 any eq domain
    access-list 102 permit udp any eq domain XXX.XXX.XXX.224 0.0.0.7
    access-list 102 permit tcp XXX.XXX.XXX.224 0.0.0.7 any eq www
    access-list 102 permit tcp any eq www XXX.XXX.XXX.224 0.0.0.7
    access-list 102 permit tcp XXX.XXX.XXX.224 0.0.0.7 eq www any
    access-list 102 deny ip any any log
    access-list 150 permit ip 192.168.67.0 0.0.0.255 192.168.67.0 0.0.0.255
    access-list 199 permit ip 192.168.67.0 0.0.0.255 any
    !
    !
    radius-server authorization permit missing Service-Type
    bridge 29 protocol ieee
    bridge 29 route ip
    call rsvp-sync
    !
    !
    mgcp profile default
    !
    !
    dial-peer cor custom
    !
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    transport input telnet ssh
    !
    ntp clock-period 17180597
    ntp server 195.114.64.193
    end

    spirou#
     
    Alexandre, Oct 17, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rwilson
    Replies:
    1
    Views:
    725
    Jesper Skriver
    Oct 28, 2003
  2. Greg Young
    Replies:
    0
    Views:
    532
    Greg Young
    May 12, 2004
  3. Ronald de Leeuw
    Replies:
    1
    Views:
    3,935
  4. azuraiqi

    CISCO NAT very complex problem

    azuraiqi, Oct 22, 2006, in forum: Hardware
    Replies:
    1
    Views:
    921
    MG5085
    Oct 23, 2006
  5. Steven V.A.
    Replies:
    0
    Views:
    858
    Steven V.A.
    Sep 17, 2008
Loading...

Share This Page