Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Split tunneling breaks IOS VPN - 3.5 client

Hi,

I have the configuration below working on a 1720. It works fine if I don't try to enable split tunneling. It i add the ACL 108 to the isakmp group then they can only get to the internet, they are unable to get to the private network. Anybody see any obvious mistakes?

Also, why can't the uses get to the internet without split tunneling? I don't care if they had to go through the tunnel, actually I might prefer it. Why can't the route route and nat the packets from the vpn clients?

Thanks,

Jason

version 12.2

no parser cache

service password-encryption

!

hostname access-1

!

logging buffered 4096 debugging

aaa new-model

!

!

aaa authentication login default group radius enable

aaa authentication login userauthen group radius enable

aaa authorization network groupauthor local

aaa session-id common

enable secret 5 xxxxxxxxxxxxxxxxxx

!

ip subnet-zero

!

!

ip domain-name domain.com

ip name-server 192.168.0.1

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group Remote-Users

key cisco123

dns 192.168.0.1

wins 192.168.0.1

domain domain.com

pool VPN-IP

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Ethernet0

ip address 207.xxx.xxx.3 255.255.255.240

ip access-group ACL-in in

ip nat outside

half-duplex

no cdp enable

crypto map clientmap

!

interface FastEthernet0

ip address 192.168.0.3 255.255.255.0

ip nat inside

speed auto

!!

ip local pool VPN-IP 14.1.1.1 14.1.1.254

ip nat pool NAT-POOL 207.xxx.xxx.13 207.xxx.xxx.15 prefix-length 28

ip nat inside source list 1 pool NAT-POOL overload

ip nat inside source static 192.168.0.1 207.xxx.xxx.2

ip classless

ip route 0.0.0.0 0.0.0.0 207.xxx.xxx.1

no ip http server

ip pim bidir-enable

!

!

ip access-list extended ACL-in

deny ip host 207.xxx.xxx.3 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

permit tcp any any established

permit tcp any host 207.xxx.xxxx.2 eq smtp

permit tcp any host 207.xxx.xxx.2 eq www

permit udp host 204.34.198.40 any eq ntp

permit udp host 204.34.198.41 any eq ntp

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit icmp any any net-unreachable

permit icmp any any host-unreachable

permit icmp any any administratively-prohibited

permit icmp any any packet-too-big

permit ip 14.1.1.0 0.0.0.255 any

permit udp any gt 1023 host 207.xxx.xxx.2 eq domain

permit udp any eq isakmp host 207.xxx.xxx.3 eq isakmp

permit esp any host 207.xxx.xxx.3

permit tcp any any eq 22

deny ip any any log

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 108 permit ip 192.168.0.0 0.0.0.255 any

!

radius-server host 192.168.0.1 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7 xxxxxxxxxxxxxxxxxxxxx

!

!

end

1 REPLY

Re: Split tunneling breaks IOS VPN - 3.5 client

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

83
Views
0
Helpful
1
Replies
CreatePlease to create content