Allow VPN Clients Internet Access Through A Separate Gateway

Unanswered Question
Jul 30th, 2010
User Badges:

We have vpn clients connecting to a cisco 2851 router, this is not our default Internet connection. We do not want to allow split tunneling.  We want the vpn users to got out through our default Internet connection so that we can monitor their activity.  Doing a tracert to an Internet address from a connected client first hop is the router to which it is connected which then sends it directly out to the Internet port.  I need to route those requests to my default Internet connection.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rahul Govindan Fri, 07/30/2010 - 07:24
User Badges:
  • Silver, 250 points or more

So right now is the internet traffic from the client going through the vpn client interface?Could you post your relevant nat and route configs?

382pch101 Fri, 07/30/2010 - 07:58
User Badges:

Right now they have no Internet access and are only allowed to access internal resources.

Some of the relevant config



crypto isakmp client configuration group admins

key PW123

dns 10.1.1.2 10.1.1.3

domain classic.msad.com

pool POOL_1

netmask 255.255.255.0


ip local pool POOL_1 10.27.2.2 10.27.2.10

ip classless

ip route 0.0.0.0 0.0.0.0 216.255.103.1 permanent

ip route 10.1.1.0 255.255.255.0 10.27.1.1

ip route 10.1.10.0 255.255.255.0 10.27.1.1

ip route 10.27.5.0 255.255.255.0 10.27.1.1

ip route 10.30.1.0 255.255.255.0 10.27.1.1

ip route 10.31.1.0 255.255.255.0 10.27.1.1

ip route 10.31.2.0 255.255.255.0 10.27.1.1 permanent

ip route 10.35.1.0 255.255.255.0 10.27.1.1

ip route 10.36.2.0 255.255.255.0 10.27.1.1

ip route 10.27.4.0 255.255.255.0 10.27.1.1 permanent


interface GigabitEthernet0/0

ip address 10.27.1.15 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address 216.225.103.101 255.255.255.0

ip access-group vpn2 in

ip mask-reply

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1


Thanks in advance

Jitendriya Athavale Fri, 07/30/2010 - 11:13
User Badges:
  • Cisco Employee,

so here is what you need


route map on outside sending all VPN traffic directed to anything other than internal resources to a loopback ip


and then take it from there


so route map


int loopback 0


ip address 192.168.1.1 255.255.255.0

ip nat inside


ip access-list ext 150


deny ip 10.27.2.0 0.0.0.255 10.27.1.0 0.0.0.255

permit ip 10.27.2.0 0.0.0.255 any

permit ip any 10.27.2.0 0.0.0.255




route-map VPN permit 10
 match ip address 150
 set ip default next-hop 192.168.1.1

int gig0/1

ip route-map VPN

Actions

This Discussion