Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
2
Replies

Need Help with Cisco 877 vpn router

shiran
Level 1
Level 1

‎10-03-2006 01:08 AM - edited ‎02-21-2020 02:38 PM

I would like to create a VPN senario:

Home Client ==> Internet ==> VPN Server (Cisco 877) ==> Local Lan / this Works

and

Home Client ==> Internet ==> VPN Server (Cisco 877) ==> Internet (with the IP of the VPN Server go out with). / this dosent work, why?

I have the following Config

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group office

key voip

dns <isp_dns>

pool SDM_POOL_1

acl 102

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface ATM0

no ip address

interface ATM0.1 point-to-point

pvc 8/48

pppoe-client dial-pool-number 1

!

interface Vlan1

ip address <lan address>

crypto map SDM_CMAP_1

!

interface Dialer0

ip address negotiated

crypto map SDM_CMAP_1

!

dialer-list 1 protocol ip permit

ip local pool SDM_POOL_1 10.1.1.1 10.1.1.100

!

ip route 0.0.0.0 0.0.0.0 Dialer0

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip <lan_subnet> any

hope you can help

Thank you

Labels:
0 Helpful
2 Replies 2

m.sir
Level 7
Level 7

‎10-03-2006 02:31 AM

It doesnt work because access-list for split tunnel is configure only for your lan subnet you need change access-list 102

no access-list 102

access-list 102 permit ip any any

and all traffic from VPN client goes to VPN (including Internet traffic)

M.

Hope that helps rate if it does

0 Helpful

shiran
Level 1
Level 1
In response to m.sir

‎10-03-2006 03:13 AM

Tried this already, it dosnt work. i think it is not related to split tunnel as the split tunnel mean to what ip's allow to split there connection and not to use the route of the internal network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents