Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco VPN Client and default gateway

When I have users connect via the Cisco VPN Client they get a default gateway pointing to the network they connected to. I need to have their default gateway be whatever their PC was using before they opened the VPN connection. I can't find any option to disable this feature. As a result, once a user connects using the VPN client, he/she is unable to reach the internet or any other IP that is not on the VPN network. I tried to just delete the default route that the VPN client creates but that doesn't work.

3 REPLIES

Re: Cisco VPN Client and default gateway

Hello,

what you would need to implement is called split tunneling. All non-encrypted traffic is going to the local default gateway in this scenario. An example of how to conigure that is found in "Configuring Cisco VPN Client 3.5 and the Cisco Integrated Client to Secure Nonencrypted Traffic While Using Split Tunneling" at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094b02.shtml

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: Cisco VPN Client and default gateway

That article only works for VPN clients connecting to VPN 3000 Concentrator; I have VPN Clients connecting to a 2800 Router.

Gold

Re: Cisco VPN Client and default gateway

below are the sample codes for configuring remote vpn access with split tunneling on router. in particular, the command "acl 130" under "crypto isakmp client configuration group vpngroup" and the acutal acl 130 are required for split tunneling.

aaa new-model

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 101

7687
Views
9
Helpful
3
Replies
CreatePlease to create content