Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

No split-tunnel for software vpn termination on cisco IOS router

Scenario:

Cisco software vpn client that terminates on a cisco 1760 router.

The VPN works fine right now. The client wants to get rid of spilt tunnel and wants all internet traffic to go through the 1760 it terminates on. I cant seem to make it work. Could someone please tell me what i need to change to make this happen. The clients would have to hair-pin out the same interface they terminate on. Below is the relevent config.

aaa new-model

!

!

aaa authentication login userauth local

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key **********

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group COMPANYvpn

key **********

dns 10.4.0.10

domain domain.com

pool ippool

acl 105

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

crypto isakmp profile VPNclient

description VPN clients profile

match identity group COMPANYvpn

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set COMPANYset esp-3des esp-sha-hmac

!

!

crypto dynamic-map dynmap 5

set transform-set COMPANYset

set isakmp-profile VPNclient

reverse-route

crypto dynamic-map dynmap 10

set transform-set COMPANYset

set isakmp-profile L2L

!

!

!

crypto map COMPANYmap 10 ipsec-isakmp dynamic dynmap

interface Serial0/0:0

ip nat outside

crypto map COMPANYmap

interface FastEthernet0/0.1

description Inside LAN Interface

encapsulation dot1Q 1 native

ip address 10.4.0.254 255.255.255.0

ip nat inside

ip local pool ippool 172.16.0.1 172.16.0.100

ip nat inside source route-map nonat interface Serial0/0:0 overload

access-list 102 deny ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 deny ip 10.4.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 172.16.0.0 0.0.0.255 any

access-list 102 permit ip 10.4.0.0 0.0.0.255 any

access-list 105 permit ip 10.4.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 105 permit ip 10.4.0.0 0.0.0.255 10.4.0.0 0.0.0.255

route-map nonat permit 102

5 REPLIES
Gold

Re: No split-tunnel for software vpn termination on cisco IOS ro

a loopback interface is required for the nat inside.

e.g.

int loopback 1

ip address 1.1.1.1 255.255.255.0

no shut

ip nat inside

access-list 100 deny ip

access-list 100 permit ip any

route-map policy-route permit 10

match ip address 100

set ip next-hop 1.1.1.2

interface Serial0/0:0

ip policy route-map policy-route

Community Member

Re: No split-tunnel for software vpn termination on cisco IOS ro

I tried adding the following to the router with no success. I was able to connect but it internet traffic still went out my gateway, not the routers.

int loopback 1

ip address 1.1.1.1 255.255.255.0

no shut

ip nat inside

access-list 100 deny ip 172.16.0.0 0.0.0.255 10.4.0.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.0.255 any

route-map policy-route permit 10

match ip address 100

set ip next-hop 1.1.1.2

interface Serial0/0:0

ip policy route-map policy-route

Was 100 ACL commands supposed to be applied to the 102 ACL? Like add those entries to the 102 ACL or is it supposed to be a completely different ACL. I tried it using a completely differnt ACL number.

Am i supposed to remove the "acl 105" statement from the crypto map?

In the 100 ACL, was 172.16.0.0/24 supposed to be denied from the 1.1.1.0/24 network, or the 10.4.0.0/24 network like it did it.

Do i need to add the 1.1.1.0/24 network to the NAT 102 ACL?

Sorry, i am not really understanding how this is going to make this work. Its above what i currently understand.

Thanks

Gold

Re: No split-tunnel for software vpn termination on cisco IOS ro

crypto isakmp client configuration group COMPANYvpn

key **********

dns 10.4.0.10

domain domain.com

pool ippool

acl 105

the command "acl 105" needs to be removed.

hcr
Community Member

Re: No split-tunnel for software vpn termination on cisco IOS ro

Hi i did this yesterday and it works

access-l 160 permit ip 172.16.0.0 0.0.0.255 any

ip nat inside source list 160 interfaces0/0:0 overload

route-map foreinternet permit 10

match ip address 160

set interface Loopback1

interface Loopback1

ip address 10.1.1.1 255.255.255.252

ip nat inside

!

interface Serial0/0:0

ip nat outside

crypto map COMPANYmap

ip policy route-map foreinternet

crypto isakmp client configuration group COMPANYvpn

no acl 105

Try this, i got it working yesterday

Best regards Henrik

Community Member

Re: No split-tunnel for software vpn termination on cisco IOS ro

I have a question regarding the NAT statement. Is it possible to have 2 different NAT overload statements on the router? Or do i have to integrate this lookback network into my existing ACL which uses ACL 102.

I would like to just try this, but since is a production network, i cant start making changes till i get it right.

225
Views
0
Helpful
5
Replies
CreatePlease to create content