[fw-wiz] Need help configuring client-side VPN to Cisco 2801

(Please bear with me, I have little firewall or Cisco knowledge, but
have been charged to make this happen)

I've got a Cisco 2801, with the firewall feature set. I've got a
client-side VPN configured (by the vendor). By client-side, I mean
connections by the users from home or wherever, using the Cisco VPN
client. I can make the connection, but I need to modify and extend it a bit.

Problem 1 - when I do connect from my laptop at home, I lose
connectivity to my local LAN resources (such as local shares and
printer), even though I have "Allow Local LAN Access" checked off in my
client config. I believe from my research that my problem is that I
don't have split-tunneling turned on, in the router config.

The router VPN config looks like this (in part; there are other
site-to-site VPNs defined, as well):

VPN addresses are 172.16.1.x
Corporate LAN = 192.168.1.x

crypto isakmp client configuration group VPN3000
key ******
domain mycompany.com
pool contrib

ip local pool contrib
crypto map VPN 999 ipsec-isakmp dynamic DYNAMICMAP

But I'm confused on how to construct the ACL. And I have no
documentation for my 2801, or for IOS. I know I need to add it in the
VPN3000 stanza.

Can anyone clue me in on how to make this split tunnel ACL work? There
are ACLs in the config, that both permit and deny to the 172.16 and the
192.168 address spaces, but how they fit into the picture, I don't know.
I know that I can ping and access any 192.168.1.x address when I
connect, and that I get assigned a 172.16.1.x address when I connect.

Problem 2 - I am not prompted to log into my Windows AD domain when I
connect. I am prompted for a local ID and password (defined in the
router config) when I connect. I need to be prompted for an AD ID and
password. I believe I need to point the router config at an aaa server
on my LAN (which is a Win2000 Server running IAS). But again, I am lost
as to how to specify this. A complication is that I already have a
site-to-site VPN defined with a business partner, and I *can't* take any
chances with that going down, for any reason. But since that's working
now, and is not dependent on any AD ID, my entering a "aaa server"
command shouldn't affect this other tunnel, should it?

I realize I'll probably need to provide more details, and I'm happy to
do so. And I appreciate any help anyone can give me on this project.


firewall-wizards mailing list

Relevant Pages