Hi,

I've implemented "the Router and VPN Client for Public Internet on a Stick Configuration Example" (http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml). I've added these lines to my 878 router config. I connect from a remote site with Cisco VPN client. From the VPN client, the situation is :

- Full access to hosts on Internet = OK

- Can PING hosts at the router site (192.168.2.0)

- Have no access to hosts at the router site (192.168.2.0) = NOK

I've added these lines to my 877 configuration. At this time, firewall not activated.

aaa new-model

!

aaa authentication login userauthen local

!

aaa authorization network groupauthor local

!

aaa session-id common

username ... password 0 ...

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group ?

key ?

dns 192.168.2.110

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Dialer1

ip nat outside

ip policy route-map VPN-Client

crypto map clientmap

ip local pool ippool 192.168.4.1 192.168.4.20

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip any any

access-list 144 permit ip 192.168.4.0 0.0.0.255 any

route-map VPN-Client permit 10

match ip address 144

set interface Loopback0

Any idea to solve the 3rd point? All the VPN traffic is set to the loopback interface. Do I have to modify the route-map to set only the external traffic on this interface ?

Kind regards,

Guy