Need some help with forcing internet traffic through VPN tunnel for remote client. I am using shrew as the remote client. Tunnel connect and passes traffic between private networks. Tracert show public traffic going thru tunnel but not leaving remote gateway.
Hoping someone can look at config and tell me what I am missing.
Many Thanks.
Troy,
Thanks for posting your question on the forum!
You will need to modify your VPN selectors for the mobile VPN policy to reflect that internet traffic destined for the mobile VPN clients will be going over the VPN tunnel. Currently your VPN selectors look like this:
ip access-list extended VPN-20-vpn-selectors3
permit ip 192.168.100.0 0.0.0.255 192.168.203.0 0.0.0.255 log
It should look like this:
ip access-list extended VPN-20-vpn-selectors3
permit ip any 192.168.203.0 0.0.0.255 log
You will also need to create an ACL for outbound internet traffic from the mobile client:
ip access-list extended VPN-REMOTE-INTERNET
permit ip 192.168.203.0 0.0.0.255 any
The VPN client should also have 0.0.0.0 as its destination network so that all traffic goes over the VPN tunnel.
You will also need to modify the Public security zone to NAT the traffic coming over the VPN tunnel and going out to the internet.
no ip policy-class PUBLIC rpf-check
ip policy-class PUBLIC
allow list VPN-20-vpn-selectors3
nat source list VPN-REMOTE-INTERNET address <WAN IP address>
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Troy,
Thanks for posting your question on the forum!
You will need to modify your VPN selectors for the mobile VPN policy to reflect that internet traffic destined for the mobile VPN clients will be going over the VPN tunnel. Currently your VPN selectors look like this:
ip access-list extended VPN-20-vpn-selectors3
permit ip 192.168.100.0 0.0.0.255 192.168.203.0 0.0.0.255 log
It should look like this:
ip access-list extended VPN-20-vpn-selectors3
permit ip any 192.168.203.0 0.0.0.255 log
You will also need to create an ACL for outbound internet traffic from the mobile client:
ip access-list extended VPN-REMOTE-INTERNET
permit ip 192.168.203.0 0.0.0.255 any
The VPN client should also have 0.0.0.0 as its destination network so that all traffic goes over the VPN tunnel.
You will also need to modify the Public security zone to NAT the traffic coming over the VPN tunnel and going out to the internet.
no ip policy-class PUBLIC rpf-check
ip policy-class PUBLIC
allow list VPN-20-vpn-selectors3
nat source list VPN-REMOTE-INTERNET address <WAN IP address>
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Thanks so much!!!!!!!!! I had al of your corrections already implemented except for "allow list VPN-20-vpn-selectors3".
I had "allow list reverse VPN-20-vpn-selectors3 stateless" instead. switched to your correction and everything working great.
Again Thanks, Troy