Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN on IOS, No Split Tunnel

I've configured SSL VPN on an 1811 router running 12.4(9) IOS. I'm using the full SSL VPN client and do not want to split tunnel the traffic. I can reach my inside resources just fine, but I can not reach sites on the Internet. I want to tunnel my Internet traffic to the router and then have it hairpin out the same interface.

I've successfully configured this type of hairpinning on an ASA for SSL VPN, but have yet to find a way to do it in IOS. Does anyone have a sample config or suggestions?


Re: SSL VPN on IOS, No Split Tunnel

Make use of the document "SSL VPN Client (SVC) on IOS with SDM Configuration Example"

New Member

Re: SSL VPN on IOS, No Split Tunnel

Thanks. I've followed these instructions before, but the result was the same for me. I can reach internal resources, but hairpinning my traffic back out the outside interface to the Internet does not work. I'm still wondering if anyone actually has this operating in the way that I've described within their production environment.

New Member

Re: SSL VPN on IOS, No Split Tunnel

well according to the logic used for the bringing the traffic to the asa outside interface

what i did is natted the local pool traffic on the outside interface as well

so same concept if we use on the CISCO IOS also we can solve

ip nat outside source static "local-pool-network" intrface "outside-interface" overload

See if this helps..

can you please post ur configuration as I am unable to access the resources inside from the ssl vpn users..I dont want to bring the internet traffic towards the router but only the local lan traffic from remote ssl vpn users.




Re: SSL VPN on IOS, No Split Tunnel

For the traffic to be natted on IOS it must traverse from inside to outside nat interface (or nat enabled interfaces)

You can try create a loopbak and set it as nat inside, direct the traffic from VPN to the loopback as nexthop, it the traffic is to go to inside the router will do that automaticaly, it it's to go to outside it will nat it.

You could use a policy-routing.

Not sure it will work, but worked for me on seemed situations.

Let us know if worked and rate the post...

CreatePlease to create content