I enter the following line in our router

ip route 24.199.x.x 255.255.255.255 10.x.x.x and still no luck.

It is the internet end. I have also tried to route the address of the hardware client to the address of the vpn concentrator.

remote site <--> vpn hardware client <--> internet <--> vpn concentrator <--> local site

user from remote site can access local site via the vpn tunnel; however not that server 24.199.x.x from the internet.

i was wondering if user from the remote site can access internet but not this particular server or no user from remote site can access internet at all. if later one is the case, then split tunnel needs to be configured on the vpn concentrator.

you will need to configure a network list before you can complete the configuration. the network list should include only the local site lan, in other words, the list will restrict what traffic to be transmitted via the vpn. further, to configure network list, go Configuration>Policy Management>Traffic Management>Network Lists

then go Configuration>User Management>Groups>Client Config>Split Tunneling Policy and select "Only tunnel networks in the list" and select the network list being created under "Split Tunneling Network List"

Hi "princefra",

Any update?

If I create a static IP on our router from the VPN hardware client and point it to our Internet router they all have internet access and they can ping anyone internally, they cannot ping outside by IP our name. I will try to split the tunnel.

Thanks,

just wondering how you go

Still not working. When I run trace route from a PC on the Cisco Hardware Clientside the route stops at the Cisco VPN concentrator.

please excuse me for not understanding your post. where is the router? and the internet router etc

please verify the topology below:

remote site <--> vpn hardware client <--> internet <--> vpn concentrator <--> local site

The VPN hardware Client is on a 192.x.x.x network and handing out a 10.9.x.x DHCP address.The VPN Harware Client connects to our VPN Concentrator that is on a 10.x.x.x network then our Router and then the Internet Router all on a 10.x.x.x Network. I put a static route in the Router for 10.9.x.x to the 10.x.x.x

address of the internet router and the the PC's on the other side of the VPN hardware client can access the internet but when I run a trace route to ex. yahoo.com the trace stops at the vpn concentrators public address.

Just to clarify,

my orignal response was to have an "inside" router. The static commands should be entered on a second router. Just a very small inside router that only deals with your inside traffic. I am not saying that you can't get it done the way you are trying but I have always used a small router on the inside to accomplish this.

Hope this helps

Please remember to rate all replies

I am a little confused. We also have a PIX firewall with our router on the inside and all inside traffic is routed from this router to our internet router that is in a DMZ.

now we know that a pix is also part of the picture.

i strongly believe that it would be better if you can post a topology digram.