Solved: VPN Split Tunnelling

levan5540 · ‎03-10-2014

Dear members please see my lab config below, your input would be much appreciated, database-server is moving to amazon and which only accepts connections from HQ, I’ve got users vpn users dialling in HQ (split tunnelling) and I’d like this to stay this way.

How do i achieve to have traffic to server A (in public network) to go through vpn tunnel?

LAB#
LAB#
LAB#
LAB#sh run
Building configuration...

Current configuration : 2670 bytes
!
! Last configuration change at 12:11:03 UTC Mon Mar 10 2014
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAB
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
ip dhcp pool main
network 10.10.10.0 255.255.255.0
default-router 10.10.10.10
dns-server 8.8.8.8
lease 7
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ15269010
!
!
username admin privilege 15 secret 5 $1$ny10$Djfl2m6Pm.uORGCH5eFMy/
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNUSERS
key LNADMIN
pool SDM_POOL_1
acl 101
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNUSERS
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 172.16.16.16 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 20
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address xx.xx.217.195 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
ip local pool SDM_POOL_1 192.168.100.0 192.168.100.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Vlan20 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.217.193
!
logging esm config
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 208.64.38.0 0.0.0.255 any
access-list 101 permit ip 190.93.249.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
end

LAB#

Karsten Iwen · ‎03-10-2014

There are a couple of config-changes to do:

First, the Server-traffic has to be included into your SPLIT-ACL:

access-list 101 permit ip host A.B.C.D any

Then, the VPN-traffic has to be sent back to the internet with NAT:

access-list 1 permit 192.168.100.0 0.0.0.127

interface Virtual-Template1 type tunnel

ip nat inside

View solution in original post

Karsten Iwen · ‎03-10-2014