Saturday, 17 November 2007

How to get Cisco VPN working on Vodafone

If you are using vodafone mobile broadband or dialing up via your mobile you may wish to connect to the office via vpn. If this is using a firewall such as the Cisco ASA devices you may find it connects but then you can not do anything.

Firstly you need to ensure that NAT-T is enabled in your IKE global parameters. Its in the VPN tab on ASDM under IKE - Global parameters.

Next you must ensure NAT-T is enabled in your IPSEC rules for your dynamic vpn connections. Its on the IPSec - IPSec Rules tab, and you need to tick the NAT-T box for each of your dynamic VPN rules.

You should now be able to connect and access your services via Vodafone.

If you notice that you can now only access things at the office and no other sites (such as google for instance) then you are probably sending all your internet traffic to the office instead of just that which is relevant to the office.

So you need to set up a tunnel rule.

The best way is to create a new Group Policy on the firewall (or edit the one you have already set up for remote connections). When you create the new Group Policy leave everything set to inherit except for Split Tunnel Policy and Split Tunnel Network List on the Client Configuration tab.

Set Split Tunnel Policy to 'Tunnel Network List Below'.

Then click on the Manage button below that.

You should get a pop up window called ACL Manager with no entries defined.

Click on Add, Select Add ACL, when prompted for ACL Name, enter a name for your ACL such as SplitTunnelList. Click on the new ACL you added then click on Add again and this time select Add ACE.

Enter the IP Address of your internal network, in this example its 192.168.2.0 and then enter the network mask, in this case 255.255.255.0. Ensure Permit is ticked.

Finally select your remote access Tunnel Group and assign it the new Group Policy. Save all the settings and reconnect via vpn. Your office traffic should still work but you should also be able to surf the internet directly via your own connection.

No comments: