Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN traffic to the internet Clarification


I have seen a few messages that touched on this, but I wanted to see if I could get a direct answer. I have a 1720 with the WIC Ethernet (E0) that connects to the internet and does NAT for the internal users, internal interface, Fa0, is private address space. E0 has an external public IP.

Should the VPN users be able to get to the internet if they are connecting to E0? I would really prefer to not use split tunneling, besides I can't get it to work.



New Member

Re: VPN traffic to the internet Clarification

Hi Jason,

If you are talking about Cisco VPN client 3.x to IOS router, the answer for your question is "no". The only way you can make that working is using "split-tunnelling" feature.

I belive your problem with split-tunnel is not working should be something to do with the "nonat" access-list.

Would you please attach your router config and we will work out the issue for you. Or open a case with TAC, we will help you to make it working as well.

For PPTP, I do make our customers network working fine with tunnel all feature. The PPTP client can going in to the router and going out to the internet again. That is because the PPTP using virtual-template and I binding the ip address of the virtual-template to inside interface.

From the inside interface, processing "ip nat inside".

But IPSEC VPN client, it is a different story. So the answer is no.

Please check following config for PPTP:

vpdn enable


vpdn-group 1

! Default PPTP VPDN group


protocol pptp

virtual-template 1



crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200




interface Ethernet0

description connected to Internet

ip address

ip nat outside



interface FastEthernet0

description connected to EthernetLAN

ip address

ip nat inside

speed auto


interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool testpool

ppp encrypt mppe 40

ppp authentication ms-chap


router rip

version 2

passive-interface Ethernet0


no auto-summary


ip local pool testpool

ip nat inside source list 101 interface Ethernet0 overload

ip classless

ip route

no ip http server

ip pim bidir-enable


access-list 101 permit ip any


snmp-server community public RO


line con 0

line aux 0

line vty 0 4

password 7 030752180500



no scheduler allocate



Best Regards,

Paul Qiu

CreatePlease to create content