Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
3
Replies

Allow VPN Clients Internet Access Through A Separate Gateway

382pch101
Level 1
Level 1

‎07-30-2010 07:11 AM

We have vpn clients connecting to a cisco 2851 router, this is not our default Internet connection. We do not want to allow split tunneling.  We want the vpn users to got out through our default Internet connection so that we can monitor their activity.  Doing a tracert to an Internet address from a connected client first hop is the router to which it is connected which then sends it directly out to the Internet port.  I need to route those requests to my default Internet connection.

Thanks in advance

Labels:
0 Helpful
3 Replies 3

rahgovin
Level 4
Level 4

‎07-30-2010 07:24 AM

So right now is the internet traffic from the client going through the vpn client interface?Could you post your relevant nat and route configs?

0 Helpful

382pch101
Level 1
Level 1
In response to rahgovin

‎07-30-2010 07:58 AM

Right now they have no Internet access and are only allowed to access internal resources.

Some of the relevant config

crypto isakmp client configuration group admins

key PW123

dns 10.1.1.2 10.1.1.3

domain classic.msad.com

pool POOL_1

netmask 255.255.255.0

ip local pool POOL_1 10.27.2.2 10.27.2.10

ip classless

ip route 0.0.0.0 0.0.0.0 216.255.103.1 permanent

ip route 10.1.1.0 255.255.255.0 10.27.1.1

ip route 10.1.10.0 255.255.255.0 10.27.1.1

ip route 10.27.5.0 255.255.255.0 10.27.1.1

ip route 10.30.1.0 255.255.255.0 10.27.1.1

ip route 10.31.1.0 255.255.255.0 10.27.1.1

ip route 10.31.2.0 255.255.255.0 10.27.1.1 permanent

ip route 10.35.1.0 255.255.255.0 10.27.1.1

ip route 10.36.2.0 255.255.255.0 10.27.1.1

ip route 10.27.4.0 255.255.255.0 10.27.1.1 permanent

interface GigabitEthernet0/0

ip address 10.27.1.15 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address 216.225.103.101 255.255.255.0

ip access-group vpn2 in

ip mask-reply

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1

Thanks in advance

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to 382pch101

‎07-30-2010 11:13 AM

so here is what you need

route map on outside sending all VPN traffic directed to anything other than internal resources to a loopback ip

and then take it from there

so route map

int loopback 0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip access-list ext 150


deny ip 10.27.2.0 0.0.0.255 10.27.1.0 0.0.0.255

permit ip 10.27.2.0 0.0.0.255 any

permit ip any 10.27.2.0 0.0.0.255

route-map VPN permit 10
 match ip address 150
 set ip default next-hop 192.168.1.1

int gig0/1

ip route-map VPN

0 Helpful
Customers Also Viewed These Support Documents