INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Cisco VPN - split tunneling

Cisco VPN - split tunneling

(OP)
Hi, I have a remote access VPN setup on a Cisco 2811 which works fine. Its setup using the cisco VPN client 5.0

I have created various profiles which allow access to different subnet, which works ok and also split tunnelign for internet access.

The issue I have is that when i tru and map a drive, in this case in windows 7.0 \\tower\documents, i can see that the broadcasts are sent out the default route in windows which is :-

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.116 20
10.0.1.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.2.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.6.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.27.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.48.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.55.0 255.255.255.0 On-link 10.0.55.245 276
10.0.55.0 255.255.255.0 10.0.55.1 10.0.55.245 100
10.0.55.245 255.255.255.255 On-link 10.0.55.245 276

However, the drive is actually 10.0.55.102, I have run a wireshark and can see that the broadcast goes as follows-

1439 44.650377000 192.168.0.116 192.168.0.255 NBNS 92 Name query NB TOWER<00>

Any ideas how i can implment something on the 2800 to get round this??? winky smile

Cheers,

S.

RE: Cisco VPN - split tunneling

you've got 3 routes to that destination network. is your split tunnel setup to recognize the 10.0.55.0/24 network as an inside network?

RE: Cisco VPN - split tunneling

(OP)
Hi, Here is the config minus passwords:-

Cheers,

Scott.




DPL-530-G-010-VPN-01#wr t
Building configuration...


Current configuration : 8150 bytes
!
! Last configuration change at 11:28:26 UTC Wed Jun 18 2014 by comms
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DPL-530-G-010-VPN-01
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 21474
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name communicate
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3394575599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3394575599
revocation-check none
rsakeypair TP-self-signed-3394575599
!
!
crypto pki certificate chain TP-self-signed-3394575599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333934 35373535 3939301E 170D3134 30343032 31343132
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393435
37353539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DBE6 F9E83492 BB6E66F3 12628355 9D266FC1 DE8965E9 81233DD2 4394DA1A
BF2FD0FD 078F2201 44C65002 1385B96C F0884456 7C929C81 FC8F46ED 73F15160
BA4A8C74 0A559C2A 020F11F9 6B103CDD CC9CA714 B8EB8B17 F6847E94 78716294
0721CBD4 A2B5CFDE D9A54D17 4060B6A8 2CE0DF7C B3D87CEE 47174ACB 75A6D061
78770203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A7BB8B FB5DCD8D 268BFDBA 56BD8A23 502516EB A1301D06
03551D0E 04160414 A7BB8BFB 5DCD8D26 8BFDBA56 BD8A2350 2516EBA1 300D0609
2A864886 F70D0101 05050003 8181005A BDA174E1 3E3992D7 A0BDBF1D 7964E2F4
8B622791 16B482DF 4D9BE25A 7A0ED594 1AF31AFC 42B37D80 75B19821 E896DF71
FC094029 B3DE8521 327D76B9 2BAA926C 6611E43B 6A143422 0697AFA7 B8B37A40
23910A2D EB5F324D 22745729 B21DE402 7EEB384E 0CCFD507 C177EA03 5C87391F
2DEB7379 24E767CC 422FA789 2E1B8E
quit
!
!
license udi pid CISCO2811 sn FHK1137F3AT
username comms password 7 052856022C19
username blackmansCplc privilege 15 password 7 06223F0D5B4F072B101B4118
username knightdCplc privilege 15 password 7 072B116059081737021E581F
username stylesmCplc privilege 15 password 7 08057C621E180B2507075F17
username atrium privilege 15 password 7 11280D17460706
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key
dns 10.0.2.6 8.8.8.8
wins 10.0.2.6
pool ippool
acl 120
max-users 8
!
crypto isakmp client configuration group IPT
key
dns 10.0.2.6 8.8.8.8
wins 10.0.2.6
pool ippool
acl 130
max-users 8
crypto isakmp profile vpn-ike-profile-1
match identity group vpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 1
crypto isakmp profile vpn-ike-profile-2
match identity group IPT
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
crypto ipsec profile VPN-Profile-2
set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.251 255.255.255.255
!
interface FastEthernet0/0
description inside
ip address 10.0.55.251 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description outside
ip address x.x.x.x 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-2
!
interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-2
!
!
router eigrp 100
network 10.0.0.0
!
ip local pool ippool 10.0.55.240 10.0.55.248
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.0.1.0 255.255.255.0 10.0.55.254
ip route 10.0.2.0 255.255.255.0 10.0.55.254
ip route 10.0.48.0 255.255.255.0 10.0.55.254
ip route 10.0.208.0 255.255.255.0 10.0.55.254
!
logging trap notifications
logging 10.0.55.234
access-list 100 remark NAT
access-list 100 permit ip 10.0.55.0 0.0.0.255 any
access-list 120 permit ip 10.0.1.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.2.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.208.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.48.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.27.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.6.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 120 permit ip 10.0.55.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 130 permit ip 10.0.1.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 130 permit ip 10.0.48.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 130 permit ip 10.0.208.0 0.0.0.255 10.0.55.0 0.0.0.255
access-list 130 permit ip 10.0.55.0 0.0.0.255 10.0.55.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
banner motd ^CC
+-----------------------------------------------------------------------------------------+
: :
: _____ _ _ _____ _ _____ :
: / ____| (_) | | | __ \| | / ____| :
: | | ___ _ __ ___ _ __ ___ _ _ _ __ _ ___ __ _| |_ ___ | |__) | | | | :
: | | / _ \| '_ ` _ \| '_ ` _ \| | | | '_ \| |/ __/ _` | __/ _ \ | ___/| | | | :
: | |___| (_) | | | | | | | | | | | |_| | | | | | (_| (_| | || __/ | | | |___| |____ :
: \_____\___/|_| |_| |_|_| |_| |_|\__,_|_| |_|_|\___\__,_|\__\___| |_| |______\_____| :
: :
: :
: Unauthorized access to this device is prohibited! :
: If you are not authorised to connect to this system please disconnect now. :
: :
: Switch Model: CISCO2811 :
: IOS Version: 15.1(4)M8 - C2800NM-ADVENTERPRISEK9-M :
: :
+-----------------------------------------------------------------------------------------+^C
!
line con 0
exec-timeout 0 0
lockable
login authentication login
escape-character 3
line aux 0
line vty 0 4
password 7 072B116059081737021E581F
transport input all
escape-character 3

RE: Cisco VPN - split tunneling

I've run into problems setting the DNS and WIns entries on remote VPNs. I'd start by removing these and see what happens. Also the reference to open DNS from the VPN connection is probably not good.

RE: Cisco VPN - split tunneling

(OP)
Hi, Ive removed the DNS/WINS bits, but still no joy it tries the 192.168.0.116 route, any other thoughts.???

Cheers,

Scott.

RE: Cisco VPN - split tunneling

Are you able to ping the IP of the server you are trying ot map a drive to? if not, what does a trace route from a VPN client to the server yield.

RE: Cisco VPN - split tunneling

(OP)
Hi, I can ping the address fine, and map to it using the address:-

\\10.0.55.102\documents

However, trying to map via name, fails:-

\\tower\documents

Tries to go out the 192.168.0. route smile

Scott.

RE: Cisco VPN - split tunneling

ipconfig /all

what is the DNS configured for your interfaces,
what are the prefixes you see as configured..

tower is NOT an FQDN .. use the FQDN and have the correct prefix pushed through the VPN and it will work..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco VPN - split tunneling

(OP)
Hi, many thanks for that, right, VPN connected and I get this. see below.

I think the issue is that the DNS server is infact the ADSL router???

Cheers,

Scott.



C:\Users\scott.blackman>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : COMMS002
Primary Dns Suffix . . . . . . . : communicate.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : communicate.local

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Wind
ows
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8854:e7aa:f63e:8bfe%26(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.55.245(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.55.254
Primary WINS Server . . . . . . . : 10.0.55.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 3C-97-0E-55-7B-E7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::55e5:c611:56fc:5282%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.116(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 25 June 2014 10:30:04
Lease Expires . . . . . . . . . . : 26 June 2014 10:30:04
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 557618958
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-49-0C-64-9C-4E-36-7D-21-64

DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

RE: Cisco VPN - split tunneling

(OP)
Apologies,

No DNS is actually the correct DNS server. I read the DHCP not the DNS!

Cheers.

Scott.

RE: Cisco VPN - split tunneling

and what is the FQDN of tower?

Quote (Scott)

\\10.0.55.102\documents

However, trying to map via name, fails:-

\\tower\documents


when you nslookup 'tower' does it resolve to 10.0.55.102 while you are connected to VPN? I'm betting it doesn't..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco VPN - split tunneling

(OP)
Hi, think your right!

What I have done is edited the lmhosts.sam file and added an entry for '10.0.55.102 tower'

Scott.

Heres the output:-

C:\Users\scott.blackman>ipconfig /flushd

Windows IP Configuration

Successfully flushed the DNS Resolver Ca

C:\Users\scott.blackman>nslookup tower
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

RE: Cisco VPN - split tunneling

cisco says do not use nslookup to test DNS resolutions on a VPN Tunnel it does not work..i've spent days trying to fix a non-existing DNS issue because instead of ping, or http actions, I was using DNS to resolve the end point..


furthermore, as i mentioned above, tower is NOT an FQDN ... your machine doesn't know which of the two interfaces and DNS servers to use ...

tower.communicate.local

might get you there... but ping will not..
if you are editting hosts files then you did the wrong one for windows..
windows\system32\drivers\etc\hosts

i think is the right place.. going off memory ..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco VPN - split tunneling

What I have done is edited the lmhosts.sam file and added an entry for '10.0.55.102 tower'

Um, I'm sure I'll be corrected if I am wrong, but my belief is that file does nothing - it is the "hosts" file you need to edit.

RE: Cisco VPN - split tunneling

(OP)
Hi, Cheers for that I will try and it and let you know.

Cheers,

Scott.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close