06-27-2002 09:14 PM - edited 02-21-2020 11:50 AM
Hi,
I have seen a few messages that touched on this, but I wanted to see if I could get a direct answer. I have a 1720 with the WIC Ethernet (E0) that connects to the internet and does NAT for the internal users, internal interface, Fa0, is private address space. E0 has an external public IP.
Should the VPN users be able to get to the internet if they are connecting to E0? I would really prefer to not use split tunneling, besides I can't get it to work.
Thanks,
Jason
06-27-2002 10:55 PM
Hi Jason,
If you are talking about Cisco VPN client 3.x to IOS router, the answer for your question is "no". The only way you can make that working is using "split-tunnelling" feature.
I belive your problem with split-tunnel is not working should be something to do with the "nonat" access-list.
Would you please attach your router config and we will work out the issue for you. Or open a case with TAC, we will help you to make it working as well.
For PPTP, I do make our customers network working fine with tunnel all feature. The PPTP client can going in to the router and going out to the internet again. That is because the PPTP using virtual-template and I binding the ip address of the virtual-template to inside interface.
From the inside interface, processing "ip nat inside".
But IPSEC VPN client, it is a different story. So the answer is no.
Please check following config for PPTP:
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Ethernet0
description connected to Internet
ip address 200.200.200.200 255.255.255.0
ip nat outside
half-duplex
!
interface FastEthernet0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool testpool
ppp encrypt mppe 40
ppp authentication ms-chap
!
router rip
version 2
passive-interface Ethernet0
network 10.0.0.0
no auto-summary
!
ip local pool testpool 10.0.0.201 10.0.0.230
ip nat inside source list 101 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 207.224.117.70
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
password 7 030752180500
login
!
no scheduler allocate
end
Cisco1710#
Best Regards,
Paul Qiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide