In setting up a 871 with an EZVPN connection back to a ASA 5520 I have setup VLAN 1 for corporate traffic and VLAN 2 for Home traffic. The ports that are members of vlan 1 can access corporate resource along with accessing internet resources (split tunneling). From the member ports of VLAN 2 I am not able to access the internet or obtain a NAT translation. This being issue one. Not sure if this is related of not but in adding a default route with "ip route 0.0.0.0 0.0.0.0 fast ethernet 4" all routing on inside is cutoff from the outside.
The main question is: Is there a different way the 871 is using by default to handle how the vlans are passing the traffic to the outside and is there an easy way to set it up?
The configuration is as follows:
version 12.4
crypto ipsec client ezvpn CorpEZVPN
connect auto
group CorpEZVPN key supersecretpassword
mode network-extension
peer x.x.x.x
username CorpEZVPN password supersecure
xauth userid mode local
!
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.31.0.17
ip dhcp excluded-address 10.231.0.1
!
ip dhcp pool corpCLIENT
network 10.31.0.16 255.255.255.240
dns-server 12.17.10.11 12.17.10.16 72.21.224.3
domain-name corp.com
default-router 10.31.0.17
option 150 ip 172.17.12.25
lease 0 2
!
ip dhcp pool HomeCLIENT
network 10.231.0.16 255.255.255.240
dns-server 72.21.224.3 72.21.224.93
default-router 10.231.0.17
lease 0 2
!
!
ip cef
no ip bootp server
!
no ipv6 cef
!
username corp password somepassword
archive
log config
hidekeys
!
interface FastEthernet0
description <-- Corp Port 1 -->
load-interval 30
auto qos voip trust
no cdp enable
service-policy output AutoQoS-Policy-Trust
hold-queue 100 out
!
interface FastEthernet1
description <-- Corp Port 2 -->
auto qos voip trust
no cdp enable
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet2
description <-- Home Port 1 -->
switchport access vlan 10
no cdp enable
!
interface FastEthernet3
description <-- Home Port 2 -->
switchport access vlan 10
no cdp enable
!
interface FastEthernet4
description Outside Interface (Internet)
bandwidth 512
ip address dhcp
no ip redirects
no ip unreachables
ip mtu 1200
ip nat outside
ip inspect Soho_Out in
ip inspect Soho_In out
ip virtual-reassembly
ip tcp adjust-mss 542
load-interval 30
duplex auto
speed auto
auto qos voip trust
no cdp enable
crypto ipsec client ezvpn corpEZVPN
service-policy output AutoQoS-Policy-Trust
!
interface Vlan1
description CORP LAN
ip address 10.31.0.17 255.255.255.240
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 542
crypto ipsec client ezvpn corpezvpn inside
!
interface Vlan10
description Home LAN
ip address 10.231.0.17 255.255.255.240
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 542
!
ip forward-protocol nd
!
!
ip dns server view-group ezvpn-internal-viewlist
ip nat inside source route-map CorpEZVPN-rm interface FastEthernet4 overload
!
ip sla logging traps
access-list 10 deny 10.231.0.16 0.0.0.15
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.16.0.0 0.15.255.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 120 deny ip 10.31.0.16 0.0.0.16 10.0.0.0 0.255.255.255
access-list 120 deny ip 10.31.0.16 0.0.0.16 172.16.0.0 0.15.255.255
access-list 120 deny ip 10.31.0.16 0.0.0.16 192.168.0.0 0.0.255.255
access-list 120 permit ip 10.31.0.16 0.0.0.16 any
access-list 120 permit ip 10.231.0.16 0.0.0.16 any
access-list 121 permit ip 10.0.0.0 0.255.255.255 any
access-list 121 permit ip 172.16.0.0 0.15.255.255 any
access-list 121 permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
!
!
route-map CorpEZVPN-rm permit 1
match ip address 120
!
!
control-plane
!
!
line con 0
exec-timeout 15 0
no modem enable
line aux 0
webvpn cef
end
