Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
1
Replies

VPN traffic to the internet Clarification

jvormbaum
Level 1
Level 1

‎06-27-2002 09:14 PM - edited ‎02-21-2020 11:50 AM

Hi,

I have seen a few messages that touched on this, but I wanted to see if I could get a direct answer. I have a 1720 with the WIC Ethernet (E0) that connects to the internet and does NAT for the internal users, internal interface, Fa0, is private address space. E0 has an external public IP.

Should the VPN users be able to get to the internet if they are connecting to E0? I would really prefer to not use split tunneling, besides I can't get it to work.

Thanks,

Jason

Labels:
0 Helpful
1 Reply 1

paqiu
Level 1
Level 1

‎06-27-2002 10:55 PM

Hi Jason,

If you are talking about Cisco VPN client 3.x to IOS router, the answer for your question is "no". The only way you can make that working is using "split-tunnelling" feature.

I belive your problem with split-tunnel is not working should be something to do with the "nonat" access-list.

Would you please attach your router config and we will work out the issue for you. Or open a case with TAC, we will help you to make it working as well.

For PPTP, I do make our customers network working fine with tunnel all feature. The PPTP client can going in to the router and going out to the internet again. That is because the PPTP using virtual-template and I binding the ip address of the virtual-template to inside interface.

From the inside interface, processing "ip nat inside".

But IPSEC VPN client, it is a different story. So the answer is no.

Please check following config for PPTP:

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

!

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

!

!

interface Ethernet0

description connected to Internet

ip address 200.200.200.200 255.255.255.0

ip nat outside

half-duplex

!

interface FastEthernet0

description connected to EthernetLAN

ip address 10.0.0.1 255.255.255.0

ip nat inside

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool testpool

ppp encrypt mppe 40

ppp authentication ms-chap

!

router rip

version 2

passive-interface Ethernet0

network 10.0.0.0

no auto-summary

!

ip local pool testpool 10.0.0.201 10.0.0.230

ip nat inside source list 101 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 207.224.117.70

no ip http server

ip pim bidir-enable

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

!

snmp-server community public RO

!

line con 0

line aux 0

line vty 0 4

password 7 030752180500

login

!

no scheduler allocate

end

Cisco1710#

Best Regards,

Paul Qiu

0 Helpful
Customers Also Viewed These Support Documents