02-15-2006 02:41 PM - edited 02-21-2020 02:15 PM
When I have users connect via the Cisco VPN Client they get a default gateway pointing to the network they connected to. I need to have their default gateway be whatever their PC was using before they opened the VPN connection. I can't find any option to disable this feature. As a result, once a user connects using the VPN client, he/she is unable to reach the internet or any other IP that is not on the VPN network. I tried to just delete the default route that the VPN client creates but that doesn't work.
02-15-2006 03:44 PM
Hello,
what you would need to implement is called split tunneling. All non-encrypted traffic is going to the local default gateway in this scenario. An example of how to conigure that is found in "Configuring Cisco VPN Client 3.5 and the Cisco Integrated Client to Secure Nonencrypted Traffic While Using Split Tunneling" at
Hope this helps! Please rate all posts.
Regards, Martin
02-17-2006 12:56 PM
That article only works for VPN clients connecting to VPN 3000 Concentrator; I have VPN Clients connecting to a 2800 Router.
02-17-2006 05:45 PM
below are the sample codes for configuring remote vpn access with split tunneling on router. in particular, the command "acl 130" under "crypto isakmp client configuration group vpngroup" and the acutal acl 130 are required for split tunneling.
aaa new-model
aaa authentication login vpnauthen local
aaa authorization network vpnauthor local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngroup
key xxxxxxxx
pool vpnpool
acl 130
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set vpnset
crypto map vpnmap client authentication list vpnauthen
crypto map vpnmap isakmp authorization list vpnauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Dialer0
ip address
ip nat outside
crypto map vpnmap
ip local pool vpnpool 10.1.1.1 10.1.1.10
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
route-map nonat permit 10
match ip address 101
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: