cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
0
Helpful
2
Replies
Beginner

IOS EasyVPN split tunneling - one way traffic issue

Hello group,

I have an EasyVPN server setup on my personal router (1861) so that I can access my home network when I am on the road. Apparently the Cisco VPN client and Windows 7 do not play nicely together, but I finally got my computer to nail up a tunnel and send encrypted traffic towards my router.

However, I am not able to reach anything on my local LAN (192.168.0.0/24) from my laptop over a VPN connection. I have tried ping, http, RDP, with no success. The internet is still browsable on the laptop because of the split tunneling. When I look at the status of the VPN connection from my laptop, I see sent/encrypted packets incrementing, but nothing received. I am using ZBFW and VTI with my VPN server. I did try disabling the ZBFW with the same results, in fact, I don't see anything in the log stating packets are dropped to/from the ezvpn zone.

I have been really racking my brains trying to get this working, so hopefully someone here can spot where I went wrong.

Here is a copy of my (messy) config file:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname MyRouter

!

boot-start-marker

boot system flash flash:c1861-advipservicesk9-mz.124-24.T7.bin

boot-end-marker

!

! card type command needed for slot/vwic-slot 0/2

logging message-counter syslog

logging buffered 16384

no logging console

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone Chicago -6

clock summer-time CDT recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1445602082

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1445602082

revocation-check none

rsakeypair TP-self-signed-1445602082

!

!

crypto pki certificate chain TP-self-signed-1445602082

certificate self-signed 01

  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343435 36303230 3832301E 170D3132 30353239 31353039

  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343536

  30323038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D465 136AB645 8BC3B71C ED37D188 C5379D34 11AC19A6 4E4CF964 E49FE347

  B5A81DED 59B4D5DA BF604557 2A4738A4 115AF64F 97BE7172 757D3EB1 26470703

  5E0A7BBD 86DF2ED0 4C828B08 C41C59BA FD7D967D 65433707 5A11A031 392138B8

  74638F73 D9169F6D 91F44800 B0766582 D5A765FA 9C480B41 9B8AC8DE 254151C3

  85670203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

  551D1104 1C301A82 18504F4C 4B2D4757 312E616A 73636872 6F656465 722E6E65

  74301F06 03551D23 04183016 80148FC0 A44BB98F 0CAC193F 68AD46BE 7B6E8BC9

  1FD3301D 0603551D 0E041604 148FC0A4 4BB98F0C AC193F68 AD46BE7B 6E8BC91F

  D3300D06 092A8648 86F70D01 01040500 03818100 0D300973 50FDB092 6AA75D95

  4DEE853D 6E19925B 0FECC24C D44ACCCC 73F30B84 665C8D76 E52409C7 6F219ECE

  38B583B1 0D0562E3 8336DB68 7FD4FF0A 2C0F00C6 57BBD31B 9830A8FE 95D92CDC

  9CBE3EA1 B703DA12 47676BCF 877373A1 07916A5A A7F6675B 2620EF9C 62D6C141

  21AB2701 7B17E18C E9582CB5 BD6D4952 277ED6D8

            quit

dot11 syslog

!

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.0.254

ip dhcp excluded-address 192.168.248.251 192.168.248.254

ip dhcp excluded-address 192.168.208.254

ip dhcp excluded-address 192.168.0.251 192.168.1.254

!

ip dhcp pool Workstations

   import all

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.254

   domain-name example.com

   lease 3

!

ip dhcp pool Guest_DMZ

   network 172.16.0.0 255.255.255.0

   default-router 172.16.0.254

   dns-server 8.8.8.8 8.8.4.4

!

ip dhcp pool VoIP

   network 192.168.248.0 255.255.255.0

   default-router 192.168.248.254

   option 150 ip 192.168.248.254

!

!

no ip bootp server

ip domain name example.com

ip port-map user-xbl-ctrl-udp port udp 3074 description XBOX Live control protocol over UDP

ip port-map user-xbl-ctrl-tcp port tcp 3074 description XBOX Live control protocol over TCP

ip port-map user-xbl-auth port udp 88 description XBOX Live Authentication

ip ddns update method DynDNS

HTTP

  add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

parameter-map type inspect audit

audit-trail on

!

!

!

voice service voip

allow-connections sip to sip

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

fax protocol cisco

sip

  registrar server expires max 3600 min 3600

   outbound-proxy dns:pbxes.org

!

!

!

voice class codec 1

codec preference 3 g726r16

codec preference 4 g726r24

codec preference 5 g726r32

codec preference 6 g711alaw

codec preference 7 g711ulaw

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

dsp services dspfarm

!

!

!

object-group network VoIP-Phones

192.168.248.0 255.255.255.0

!

!

spanning-tree vlan 2 priority 24576

spanning-tree vlan 3 priority 24576

spanning-tree vlan 4 priority 24576

vtp mode transparent

username XXXXXXXXXX privilege 15 password XXXXXXXXXXXXXX

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EasyVPN-Group

key XXXXXXXXXXXXXX

pool SDM_POOL_1

acl ACL-Split-Tunnel

crypto isakmp profile ciscocp-ike-profile-1

   match identity group EasyVPN-Group

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

vlan 2

name LAN

!

vlan 3

name Guest_DMZ

!

vlan 4

name VoIP

!

ip tcp synwait-time 10

ip ftp username XXXXXXXXXXXXX

ip ftp password XXXXXXXXXXXXXXXX

ip ssh time-out 30

ip scp server enable

!

class-map type inspect sip match-any Disable-Strict-SIP-cmap

match  request method invite

match  protocol-violation

class-map type inspect match-any Traceroute-cmap

match access-group name Traceroute

class-map type inspect match-all Allow-NTP-cmap

match access-group name Allow-NTP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any Allow-TFTP-out-cmap

match access-group name Allow-TFTP-out

class-map type inspect match-all RouterManagement

match access-group name RouterManagement

class-map type inspect match-any SIP-Traffic-cmap

match protocol sip

class-map type inspect match-any CME-Traffic-cmap

match protocol skinny

class-map type inspect match-any Protocol-P2P-cmap

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any Allow-DNS-cmap

match access-group name Allow-DNS

class-map type inspect match-all Allow-VPN-Outbound-cmap

match access-group name ACL-Allow-VPN-Outbound

class-map type inspect match-any Guest_DMZtoOutside-cmap

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol http

match protocol tcp

match protocol udp

class-map type inspect match-any ICMPecho-cmap

match access-group name ICMPecho

class-map type inspect match-any Protocol-IM-cmap

match protocol ymsgr Yahoo-Servers

match protocol msnmsgr MSN-Servers

match protocol aol AOL-Servers

class-map type inspect match-all RouterDataTransfer

match access-group name RouterDataTransfer

class-map type inspect match-all DDNS-Update-cmap

match access-group name ACL-DDNS-Update

class-map type inspect match-any XBOX-class

match protocol user-xbl-ctrl-udp

match protocol user-xbl-ctrl-tcp

match protocol user-xbl-auth

class-map type inspect match-all InsideToOutside-HTTP-cmap

match protocol http

class-map type inspect match-any ICMPreply-cmap

match access-group name ICMPreply

class-map type inspect match-any Allow-DHCP-cmap

match access-group name Allow-DHCP

class-map type inspect match-any InsideToOutside-cmap

match protocol dns

match protocol https

match protocol ftp

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

class-map type inspect match-any Allow-TFTP-in-cmap

match access-group name Allow-TFTP-in

!

!

policy-map type inspect InsideToRouter-pmap

class type inspect ICMPecho-cmap

  inspect

class type inspect ICMPreply-cmap

  pass

class type inspect Allow-DHCP-cmap

  pass

class type inspect Allow-DNS-cmap

  inspect

class type inspect RouterManagement

  inspect

class type inspect Allow-NTP-cmap

  inspect

class class-default

  drop

policy-map type inspect RouterToInside-pmap

class type inspect ICMPecho-cmap

  inspect

class type inspect Traceroute-cmap

  inspect

class type inspect Allow-DHCP-cmap

  pass

class type inspect RouterDataTransfer

  inspect

class class-default

  drop

policy-map type inspect sip Disable-Strict-SIP-pmap

class type inspect sip Disable-Strict-SIP-cmap

  allow

policy-map type inspect Guest_DMZtoOutside-pmap

class type inspect Guest_DMZtoOutside-cmap

  inspect

class class-default

  drop

policy-map type inspect Guest_DMZtoRouter-pmap

class type inspect ICMPecho-cmap

  inspect

class type inspect ICMPreply-cmap

  pass

class type inspect Allow-DHCP-cmap

  pass

class class-default

  drop

policy-map type inspect OutsideToRouter-pmap

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect ICMPecho-cmap

  inspect

class type inspect ICMPreply-cmap

  pass

class type inspect Allow-DHCP-cmap

  pass

class type inspect Allow-DNS-cmap

  inspect

class class-default

  drop log

policy-map type inspect RouterToOutside-pmap

class type inspect ICMPecho-cmap

  inspect

class type inspect Traceroute-cmap

  inspect

class type inspect Allow-DHCP-cmap

  pass

class type inspect Allow-NTP-cmap

  inspect

class type inspect SIP-Traffic-cmap

  inspect

  service-policy sip Disable-Strict-SIP-pmap

class type inspect Allow-DNS-cmap

  inspect

class type inspect DDNS-Update-cmap

  pass

class type inspect Allow-VPN-Outbound-cmap

  pass

class class-default

  drop log

policy-map type inspect VoiceToRouter-pmap

class type inspect Allow-DHCP-cmap

  pass

class type inspect Allow-TFTP-in-cmap

  pass

class type inspect CME-Traffic-cmap

  inspect

class class-default

  drop log

policy-map type inspect RouterToVoice-pmap

class type inspect Allow-DHCP-cmap

  pass

class type inspect Allow-TFTP-out-cmap

  pass

class class-default

  drop log

policy-map type inspect RouterToGuest_DMZ-pmap

class type inspect ICMPecho-cmap

  inspect

class type inspect Traceroute-cmap

  inspect

class type inspect Allow-DHCP-cmap

  pass

class class-default

  drop

policy-map type inspect InsideToOutside-pmap

class type inspect XBOX-class

  inspect

class type inspect Protocol-IM-cmap

  inspect

class type inspect Protocol-P2P-cmap

  inspect

class type inspect InsideToOutside-cmap

  inspect

class class-default

  drop

policy-map type inspect OutsideToInside-pmap

class type inspect XBOX-class

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security Inside

zone security Outside

zone security Guest_DMZ

zone security Voice

zone security ezvpn-zone

zone-pair security InsideToOutside source Inside destination Outside

service-policy type inspect InsideToOutside-pmap

zone-pair security OutsideToInside source Outside destination Inside

service-policy type inspect OutsideToInside-pmap

zone-pair security OutsideToRouter source Outside destination self

service-policy type inspect OutsideToRouter-pmap

zone-pair security Guest_DMZtoOutside source Guest_DMZ destination Outside

service-policy type inspect Guest_DMZtoOutside-pmap

zone-pair security Guest_DMZtoRouter source Guest_DMZ destination self

service-policy type inspect Guest_DMZtoRouter-pmap

zone-pair security RouterToGuest_DMZ source self destination Guest_DMZ

service-policy type inspect RouterToGuest_DMZ-pmap

zone-pair security InsideToRouter source Inside destination self

service-policy type inspect InsideToRouter-pmap

zone-pair security RouterToInside source self destination Inside

service-policy type inspect RouterToInside-pmap

zone-pair security VoiceToRouter source Voice destination self

service-policy type inspect VoiceToRouter-pmap

zone-pair security RouterToVoice source self destination Voice

service-policy type inspect RouterToVoice-pmap

zone-pair security sdm-zp-in-ezvpn1 source Inside destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source Outside destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination Outside

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination Inside

service-policy type inspect sdm-permit-ip

zone-pair security RouterToOutside source self destination Outside

service-policy type inspect RouterToOutside-pmap

bridge irb

!

!

!

!

interface FastEthernet0/0

description Internet

ip ddns update hostname example.com

ip ddns update DynDNS host example.com

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security Outside

duplex auto

speed auto

auto discovery qos

!

interface FastEthernet0/1/0

switchport access vlan 2

!

interface FastEthernet0/1/1

switchport access vlan 2

!

interface FastEthernet0/1/2

switchport access vlan 2

switchport voice vlan 2590

!

interface FastEthernet0/1/3

switchport access vlan 2

switchport voice vlan 2590

!

interface FastEthernet0/1/4

switchport access vlan 2

switchport voice vlan 4

!

interface FastEthernet0/1/5

description AP2

switchport access vlan 2

!

interface FastEthernet0/1/6

switchport access vlan 2

switchport voice vlan 2590

!

interface FastEthernet0/1/7

description AP1

switchport trunk native vlan 2

switchport trunk allowed vlan 1-3,1002-1005

switchport mode trunk

!

interface FastEthernet0/1/8

switchport access vlan 2

switchport voice vlan 2590

!

interface Dot11Radio0/5/0

no ip address

shutdown

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan2

ip nat inside

ip virtual-reassembly

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

!

interface Vlan2

description $FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security Inside

!

interface Vlan3

description Guest DMZ LAN

ip address 172.16.0.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security Guest_DMZ

!

interface Vlan4

ip address 192.168.248.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security Voice

!

ip local pool SDM_POOL_1 172.31.1.1 172.31.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

no ip http server

ip http authentication local

ip http secure-server

!

!

ip nat pool NAS-NAT-POOL 192.168.0.250 192.168.0.250 netmask 255.255.255.0 type rotary

ip nat inside source static tcp 192.168.0.242 3074 interface FastEthernet0/0 3074

ip nat inside source static udp 192.168.0.242 3074 interface FastEthernet0/0 3074

ip nat inside source static udp 192.168.0.242 88 interface FastEthernet0/0 88

ip nat inside source route-map NAT interface FastEthernet0/0 overload

ip nat inside destination list NAS-NAT pool NAS-NAT-POOL

!

ip access-list extended ACL-Allow-VPN-Outbound

permit udp any any eq isakmp

permit udp any eq isakmp any

permit udp any any eq non500-isakmp

permit udp any eq non500-isakmp any

ip access-list extended ACL-DDNS-Update

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL-Split-Tunnel

permit ip 192.168.0.0 0.0.0.255 any

permit icmp 192.168.0.0 0.0.0.255 any

permit tcp 192.168.0.0 0.0.0.255 any

permit udp 192.168.0.0 0.0.0.255 any

ip access-list extended NAS-NAT

permit tcp any any range 6881 6889

permit udp any any eq 6881

ip access-list extended Allow-DHCP

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

permit udp any any eq bootpc

permit udp any any eq bootps

ip access-list extended Allow-DNS

permit udp any any eq domain

permit udp any eq domain any

permit udp any gt 1023 any eq domain

ip access-list extended Allow-NTP

permit udp any any eq ntp

ip access-list extended Allow-TFTP-in

remark CCP_ACL Category=16

permit udp object-group VoIP-Phones host 192.168.248.254

ip access-list extended Allow-TFTP-out

remark CCP_ACL Category=16

permit udp host 192.168.248.254 object-group VoIP-Phones

ip access-list extended ICMPecho

permit icmp any any echo

ip access-list extended ICMPreply

permit icmp any any host-unreachable

permit icmp any any port-unreachable

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

ip access-list extended Internal-Subnets

deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended RouterDataTransfer

permit tcp host 192.168.0.254 host 192.168.0.250 eq 22

permit tcp host 192.168.0.254 host 192.168.0.250 eq www

permit tcp host 192.168.0.254 host 192.168.0.250 eq 443

permit tcp host 192.168.0.254 host 192.168.0.250 eq ftp

permit tcp host 192.168.0.254 host 192.168.0.250 gt 1024

ip access-list extended RouterManagement

permit tcp any any eq 22

permit tcp any any eq 443

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit icmp any any

permit udp any any

permit tcp any any

permit ip any any

ip access-list extended Traceroute

permit udp any range 32768 65535 any range 33434 33523

!

!

!

!

!

route-map NAT permit 10

match ip address Internal-Subnets

!

!

tftp-server flash:APPS-1.2.1.SBN alias APPS-1.2.1.SBN

tftp-server flash:/phone/7941-7961/apps41.9-1-1TH1-16.sbn alias apps41.9-1-1TH1-16.sbn

tftp-server flash:/phone/7941-7961/cnu41.9-1-1TH1-16.sbn alias cnu41.9-1-1TH1-16.sbn

tftp-server flash:/phone/7941-7961/cvm41sccp.9-1-1TH1-16.sbn alias cvm41sccp.9-1-1TH1-16.sbn

tftp-server flash:/phone/7941-7961/dsp41.9-1-1TH1-16.sbn alias dsp41.9-1-1TH1-16.sbn

tftp-server flash:/phone/7941-7961/jar41sccp.9-1-1TH1-16.sbn alias jar41sccp.9-1-1TH1-16.sbn

tftp-server flash:/phone/7941-7961/SCCP41.9-1-1SR1S.loads alias SCCP41.9-1-1SR1S.loads

tftp-server flash:/phone/7941-7961/term41.default.loads alias term41.default.loads

tftp-server flash:/phone/7941-7961/term61.default.loads alias term61.default.loads

!

control-plane

!

bridge 2 protocol ieee

bridge 2 route ip

bridge 3 protocol ieee

bridge 3 route ip

call threshold global cpu-avg low 68 high 75

call threshold global total-mem low 75 high 85

!

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

voice-port 0/1/0

!

voice-port 0/1/1

!

voice-port 0/1/2

!

voice-port 0/1/3

!

voice-port 0/4/0

auto-cut-through

signal immediate

input gain auto-control

description Music On Hold Port

!

!

mgcp fax t38 ecm

!

!

!

dial-peer voice 2 voip

description **Outgoing Call to SIP Trunk**

destination-pattern [2-9].........

voice-class codec 1

session protocol sipv2

session target sip-server

session transport udp

dtmf-relay rtp-nte

no vad

!

dial-peer voice 1 voip

description *** Incoming call to  - -- Generic -- - SIP Trunk ***

session protocol sipv2

session target sip-server

incoming called-number .T

!

dial-peer voice 3 voip

destination-pattern 1[2-9].........

session protocol sipv2

session target sip-server

!

!

sip-ua

credentials username XXXXXXXXXXX password XXXXXXXXXX realm pbxes.org

authentication username XXXXXXXXXXXXX password XXXXXXXXXXXX

timers connect 100

registrar dns:pbxes.org expires 3600

sip-server dns:pbxes.org

!

!

!

telephony-service

max-ephones 12

max-dn 48

ip source-address 192.168.248.254 port 2000

max-redirect 5

auto assign 1 to 10

load 7961 SCCP41.9-1-1SR1S

time-zone 8

time-format 24

date-format dd-mm-yy

max-conferences 4 gain -6

moh music-on-hold.au

transfer-system full-consult

create cnf-files version-stamp Jan 01 2002 00:00:00

!

!

ephone-dn  2

number 1001 no-reg both

name Joe User

!

!

ephone  1

device-security-mode none

mac-address 001D.A266.C871

type 7961

button  1:2

!

!

!

ephone  2

device-security-mode none

mac-address 0025.8417.68CB

type 7961

button  1:2

!

!

!

line con 0

exec-timeout 30 0

privilege level 15

logging synchronous

no modem enable

line aux 0

exec-timeout 30 0

line vty 0 4

exec-timeout 30 0

transport input ssh

!

ntp source FastEthernet0/0

ntp update-calendar

end

2 REPLIES 2

IOS EasyVPN split tunneling - one way traffic issue

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit icmp any any

permit udp any any

permit tcp any any

permit ip any any

could you log all the above and check again. Lets see if it is hitting the acl at all..

Highlighted
Beginner

IOS EasyVPN split tunneling - one way traffic issue

The router did not seem to like it when I tried to log the ACL:

MyRouter(config)#ip access-list extended SDM_IP

MyRouter(config-ext-nacl)# remark CCP_ACL Category=1

MyRouter(config-ext-nacl)# permit icmp any any log

class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly

MyRouter(config-ext-nacl)# permit udp any any log

class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly

MyRouter(config-ext-nacl)# permit tcp any any log

class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly

MyRouter(config-ext-nacl)# permit ip any any log

class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly

So I let it go through and it did not appear to hit the ACL either:

MyRouter#sho ip access-list | b SDM_IP

Extended IP access list SDM_IP

    10 permit icmp any any log

    20 permit udp any any log

    30 permit tcp any any log

    40 permit ip any any log

I have since took the logging part off since it didn't seem to have an effect.