Thanks Leo for your reply. You must understand that my idea is to go out trought internet with the ip public of cisco 1721. The split tunneling is commented in my attachments message if you have see it!. I know that its is posible do it with nat on stick but i dont konw how do it! Thanks :) and regards

I might not have gotten your point but now I think I understand that you want to make a connection to the router (presumably over the Internet) with the vpn client, and that you want to access the Internet using the 1721 as next hop? It would be as if you were on the inside of the router? Is that correct?

Regards,

Leo

Hello again! Exacly Leo, I want to connecte as if I was inside of the router. If you have saw my first config, you can observ the configuration PPTP. If you connnect to the cisco 1721 with pptp client you will have full access to my lan and you will have internet access from my ip public address.

Thanks :)

I take it you have the VPN client and firewall features running OK.

I have an example where 192.168.0.0/24 is the inside addresses and 192.168.1.0/24 are the VPN client addresses.

!

interface Loopback0

description Interface for VPN NAT

ip address 10.0.1.1 255.255.255.252

ip nat inside

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address dhcp

ip nat outside

ip policy route-map Nat-loop

!

ip local pool ourpool 192.168.1.1 192.168.1.254

ip nat inside source route-map Ethernet1 interface Ethernet1 overload

!

!

access-list 102 remark ** For VPN NAT loop **

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip any 192.168.1.0 0.0.0.255

access-list 102 remark *** For VPN NAT loop ***

access-list 105 remark ** For NAT overload **

access-list 105 deny ip any 192.168.0.0 0.0.255.255

access-list 105 permit ip 192.168.0.0 0.0.255.255 any

access-list 105 remark *** For NAT overload ***

!

route-map Ethernet1 permit 10

match ip address 105

match interface Ethernet1

!

route-map Nat-loop permit 10

match ip address 102

set ip next-hop 10.0.1.2

!

So try and add

access-list 101 permit ip any host 192.168.1.1 log.

And change the route-map to this:

route-map vpn permit 10

match ip address 101

set ip next-hop 172.24.1.2

Please let me know what you think.

Hello tekna, thanks for your message. I have just saw and i dont understand why in the route-map vpn you put "set ip next-hop 172.24.1.2" Why is this ip address? this Ip address is not declare in any the interface loopback.

I have make the follow:

interface Loopback1

ip address 172.24.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 172.26.1.0 0.0.0.255

access-list 101 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any 192.168.1.0 0.0.0.255

!

route-map vpn permit 10

match ip address 101

set ip next-hop 172.24.1.2

When i have make this changes, and i have connected with my vpn client i cant access to internet yet. However i can see in show route-map vpn how the packets arrive.

Router#show route-map

route-map vpn, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 172.24.1.1

Policy routing matches: 444 packets, 41375 bytes

The 172.24.1.2 IP is the "next-hop" of the Loopback1 interface. Don't worry it's supposed to look strange.

int the show route-map vpn, you are supposed to have this:

Set clauses:

ip next-hop 172.24.1.2

And what is this:

ip local policy route-map vpn?!? Please remove that.

Once you have connected the VPN client, please try a ping -t to some host on the Internet, and check the nat table (sh ip nat trans) looking for that host.

Hello again. I have to make bad something becuase when i have connected to the router and i make ping -t to 150.214.20.1 (GRANADA UNIVERSTIY OF SPAIN) there is not connection.

This is de configuracion now:

Router#show run

Building configuration...

Current configuration : 3966 bytes

!

username XXXX privilege 15 password 7 XXXXX

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login vpn local

aaa authorization network default local

aaa session-id common

ip subnet-zero

!

!

!

!

ip cef

ip ips po max-events 100

vpdn enable

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group casa

key 6 kike

dns 80.58.32.97

domain lasgabias

pool vpnpool

! acl 150 ##### ACCESS-LIST FOR SPLIT TUNNELING #####

save-password

include-local-lan

crypto isakmp profile vpnclient

match identity group casa

client authentication list vpn

isakmp authorization list vpn

client configuration address respond

!

!

crypto ipsec transform-set ENCRIPTA esp-3des esp-sha-hmac

!

crypto dynamic-map casa-dynamic 10

set transform-set ENCRIPTA

set isakmp-profile vpnclient

!

!

crypto map vpn 10 ipsec-isakmp dynamic casa-dynamic

!

!

!

interface Loopback0

ip address 172.25.1.1 255.255.0.0

no ip proxy-arp

!

interface Loopback1

ip address 172.24.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface ATM0

no ip address

no atm auto-configuration

no atm ilmi-keepalive

no atm address-registration

dsl operating-mode auto

!

interface ATM0.1 point-to-point

bandwidth 1024

ip address XXX.XXX.XXX.XXXX 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip policy route-map vpn

crypto map vpn

pvc 8/32

encapsulation aal5snap

max-reserved-bandwidth 100

!

interface FastEthernet0

ip address 172.26.1.1 255.255.255.0

ip helper-address 172.24.96.12

no ip proxy-arp

ip nat inside

ip virtual-reassembly

speed 100

!

ip local pool vpnpool 192.168.1.1

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

no ip http server

no ip http secure-server

ip nat inside source list 100 interface ATM0.1 overload

!

!

!

access-list 100 remark ### FOR LAN - NAT OVERLOAD ###

access-list 100 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 172.25.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 172.24.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 172.26.1.0 0.0.0.255 any

access-list 100 permit ip 172.25.1.0 0.0.0.255 any

access-list 100 permit ip 172.24.1.0 0.0.0.255 any

access-list 101 remark #### FOR VPN CLIENT NAT ####

access-list 101 deny ip 192.168.1.0 0.0.0.255 172.26.1.0 0.0.0.255

access-list 101 deny ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any 192.168.1.0 0.0.0.255

access-list 150 remark ### FOR SPLIT TUNNELING ###

access-list 150 permit ip 172.26.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 172.25.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 172.24.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

route-map vpn permit 10

match ip address 101

set ip next-hop 172.24.1.2

!

!

control-plane

!

!

line con 0

password xxxx

speed 115200

line aux 0

line vty 0 4

privilege level 15

password 7 XXXX

transport input telnet ssh

!

ntp clock-period 17180035

end

###### THIS DE SHOW ROUTE-MAP when i have connected with de client

route-map vpn, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 172.24.1.2

Policy routing matches: 64 packets, 5322 bytes

####### AND THIS IS THE SHOW IP NAT TRANSLATIONS

Router#show ip nat translations include | 150.214.20.1

Router# .... nothing!

Thanks for all replies! :---)

Hello Tekna :) thanks for all you help!. I have added access-list 100 permit ip host 192.168.1.1 any for the nat then i have access to internet with my vpn client.

Thanks :)

Please best regards from Spain.

Take care

You are welcome, happy to have helped.