Tunnel All traffic through VPN

shekharmore003 · ‎10-20-2014

Hi,

I am using Cisco AWS router with version 15.4. I have set up a Remote access VPN and its working fine with split tunneling but if I set up a VPN to tunnel all the traffic (Including Internet) its not working means I am not able to access internet.

Internal Network - 10.0.1.0 0.0.0.255

VPN Poool - 192.168.10.2 - 192.168.10.10

External interface - GigabitEthernet1

Inside Interface - GigabitEthernet2

crypto isakmp policy 12
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group awcvpn
key Cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map awpmap client authentication list vpnauthn
crypto map awpmap isakmp authorization list vpnauthr
crypto map awpmap client configuration address respond
crypto map awpmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface VirtualPortGroup0
ip unnumbered GigabitEthernet1
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
negotiation auto
crypto map awpmap
!
interface GigabitEthernet2
ip address 10.0.1.105 255.255.255.0
ip nat inside
negotiation auto
!
!
virtual-service csr_mgmt
!
ip local pool vpnpool 192.168.10.2 192.168.10.10
ip nat inside source list 111 interface GigabitEthernet1 overload
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
access-list 111 deny ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 permit ip 10.0.1.0 0.0.0.255 any
access-list 111 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
access-list 144 permit ip 192.168.10.0 0.0.0.255 any
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2

Marius Gunnerud · ‎10-30-2014

What is IP 10.11.0.2 assigned to?

Without knowing the acctual circumstances I would suggest first removing the route-map from the Gig1 interface, or at least makeing ACL 144 more specific than having any as the destination.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shekharmore003 · ‎10-30-2014

Hi Marius,

Thank you for the reply.

10.11.0.2 is not assigned to anything. I was just following this doc.

http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html

About that IP, One guy says that we can use any IP. I am also confused there.......

Marius Gunnerud · ‎10-30-2014

Is this your full configuration or have you left some config out?

If this is your whole config then you need to add a default route:

ip route 0.0.0.0 0.0.0.0 dhcp

try adding that and then test. Let us know how it goes

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shekharmore003 · ‎10-31-2014

Its a virtual router in Amazon cloud and default route is already present

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 10.0.0.1

Alex Pfeil · ‎12-06-2018

Were you able to get this resolved?