Hi There,
I used SDM to setup a VPN server with split tunneling. The remote users can connect in fine and browse the internal network, and users at the HQ can get out to the internet fine. However, I have a public wifi subnet that also needs internet access, and they cannot get out to the internet unless I Nat their subnet. But doing this then prevents the remote VPN users from browsing the internal network.
Here's what I changed.
ORIGINAL (Remote VPN works, but Wifi subnet has no internet access)
ip route 172.16.55.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 10 remark SDM_ACL Category=16
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.1
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.3
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.4
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.5
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.6
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.7
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.8
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.9
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq bootpc
access-list 199 permit gre any any
access-list 199 permit esp any any
access-list 199 permit udp any eq isakmp any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit udp any any eq isakmp
access-list 199 permit tcp any any eq 1723
access-list 199 permit udp any any eq domain
access-list 199 permit tcp any any eq domain
access-list 199 deny udp any any eq snmp
access-list 199 deny tcp any any
access-list 199 deny udp any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
*************************************************************************************************
CHANGED TO THIS (Now the 172.16.55.0 & 172.16.56.0 networks have internet access, but the Remote VPN users cannot browse the 192.168.2.0 network)
!
ip local pool SDM_POOL_1 10.10.55.1 10.10.55.10
ip route 172.16.55.0 255.255.255.0 Ethernet0
ip route 172.16.56.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.254 222 interface Dialer1 222
ip nat inside source static tcp 192.168.2.254 221 interface Dialer1 221
ip nat inside source static tcp 192.168.2.254 220 interface Dialer1 220
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 10 remark SDM_ACL Category=16
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 172.16.55.0 0.0.0.255
access-list 10 permit 172.16.56.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.1
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.3
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.4
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.5
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.6
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.7
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.8
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.9
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.10.55.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 172.16.55.0 0.0.0.255 any
access-list 102 permit ip 172.16.56.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 199 permit tcp any any range 220 222
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq bootpc
access-list 199 permit gre any any
access-list 199 permit esp any any
access-list 199 permit udp any eq isakmp any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit udp any any eq isakmp
access-list 199 permit tcp any any eq 1723
access-list 199 permit udp any any eq domain
access-list 199 permit tcp any any eq domain
access-list 199 deny udp any any eq snmp
access-list 199 deny tcp any any
access-list 199 deny udp any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
Can someone tell me where I've gone wrong?
Thanks,
Keith
