05-27-2008 07:54 AM
Greetings, im having problems obtaining a default gateway for a vpn client.
IKE Phase 1 and 2 run through correctly and i have specified a split tunnel list for the inside network i wish to encrypt.
The inside networks consist of several sub interfaces which also route traffic between themselves, as advised by another member for this too work i have added a NAT exempt statement for the internal network as below.
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.101
vlan 101
nameif access
security-level 100
ip address 172.29.255.1 255.255.255.0
!
interface Ethernet0/1.102
vlan 102
nameif voice
security-level 100
ip address 172.28.255.1 255.255.255.0
!
interface Ethernet0/1.103
vlan 103
nameif branch
security-level 100
ip address 172.27.255.1 255.255.255.0
!
interface Ethernet0/1.104
vlan 104
nameif remote
security-level 100
ip address 172.26.255.1 255.255.255.0
!
interface Ethernet0/1.998
vlan 998
nameif guest
security-level 25
ip address 172.30.255.1 255.255.255.0
!
interface Ethernet0/1.999
vlan 999
nameif native
security-level 100
ip address 172.31.255.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
!
global (outside) 1 interface
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.29.255.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (branch) 0 access-list exempt_nat0_outbound
nat (remote) 0 access-list exempt_nat0_outbound
nat (guest) 1 172.30.255.0 255.255.255.0
nat (native) 0 access-list exempt_nat0_outbound
nat (native) 1 172.31.255.0 255.255.255.0
My split tunnel list includes just the "Access network" on 172.29.255.0/24, i have also tried removing all the NAT statements bar a single exempt for the access network.
Any suggestions would be most welcome.
05-28-2008 04:04 AM
When you connect and hav a sucessful VPN connection - you will not get a defagut gateway for the VPN connection, as the traffic is routed via the local virtual VPN adapter.
HTH.
05-28-2008 04:48 PM
Ah ok, makes sense, ill check back on the firewall and see if NAT is causing a problem.
Cheers for the response.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide