07-30-2010 07:11 AM
We have vpn clients connecting to a cisco 2851 router, this is not our default Internet connection. We do not want to allow split tunneling. We want the vpn users to got out through our default Internet connection so that we can monitor their activity. Doing a tracert to an Internet address from a connected client first hop is the router to which it is connected which then sends it directly out to the Internet port. I need to route those requests to my default Internet connection.
Thanks in advance
07-30-2010 07:24 AM
So right now is the internet traffic from the client going through the vpn client interface?Could you post your relevant nat and route configs?
07-30-2010 07:58 AM
Right now they have no Internet access and are only allowed to access internal resources.
Some of the relevant config
crypto isakmp client configuration group admins
key PW123
dns 10.1.1.2 10.1.1.3
domain classic.msad.com
pool POOL_1
netmask 255.255.255.0
ip local pool POOL_1 10.27.2.2 10.27.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 216.255.103.1 permanent
ip route 10.1.1.0 255.255.255.0 10.27.1.1
ip route 10.1.10.0 255.255.255.0 10.27.1.1
ip route 10.27.5.0 255.255.255.0 10.27.1.1
ip route 10.30.1.0 255.255.255.0 10.27.1.1
ip route 10.31.1.0 255.255.255.0 10.27.1.1
ip route 10.31.2.0 255.255.255.0 10.27.1.1 permanent
ip route 10.35.1.0 255.255.255.0 10.27.1.1
ip route 10.36.2.0 255.255.255.0 10.27.1.1
ip route 10.27.4.0 255.255.255.0 10.27.1.1 permanent
interface GigabitEthernet0/0
ip address 10.27.1.15 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address 216.225.103.101 255.255.255.0
ip access-group vpn2 in
ip mask-reply
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
Thanks in advance
07-30-2010 11:13 AM
so here is what you need
route map on outside sending all VPN traffic directed to anything other than internal resources to a loopback ip
and then take it from there
so route map
int loopback 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-list ext 150
deny ip 10.27.2.0 0.0.0.255 10.27.1.0 0.0.0.255
permit ip 10.27.2.0 0.0.0.255 any
permit ip any 10.27.2.0 0.0.0.255
route-map VPN permit 10
match ip address 150
set ip default next-hop 192.168.1.1
int gig0/1
ip route-map VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide