05-24-2013 07:41 AM - edited 02-21-2020 06:55 PM
Hi,
I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN.
At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.
I've added the below to make sure traffic going to the IP is going across the VPN:
svc split include 8.8.8.8 255.255.255.255
And indeed it does start to route it across the VPN if they try to go to 8.8.8.8 but it doesn't go any further. It doesn't look like the router is NATTING this out. I've added the VPN pool to my NAT access-list but still no go.
Any suggestions much appreciated.
Thanks
Andrew
05-24-2013 05:48 PM
Hello Andrew,
Can you provide the configuration so we can correlate what you are saying,
Regards
05-25-2013 07:15 AM
Thanks. I've attached the router config. I've changed the IP's for privacy sakes but otherwise it's as it is on the router.
So for anyone connecting remotely to this router via Cisco Anyconnect I want them to use the VPN to get to the internet IP 8.8.8.8
Thanks Again
05-25-2013 02:39 PM
Hello Andrew,
What it seems to me to be the issue is that you do not have any nat statement for the traffic from the SVC client to 8.8.8.8.
Let's give it a try like this
interface loop 17
ip add 192.168.115.1 255.255.255.0
ip nat inside
ip access-list extended SVC_NAT
permit ip SVC_POOL host 8.8.8.8
deny ip any any
route-map test
match ip address SVC_NAT
set ip next-hop 192.168.115.1
interface giga 0/0
ip policy-map test
I really hope this helps u
Regards
05-30-2013 06:29 AM
Thanks for the help.
Unfortunately it didn't work in this case. I've applied your suggested configuration but the same issue applies.
I even tried applying the "ip nat inside" to the virtual interface as suggested on other Cisco documentation but this also didn't seem to work.
I think what I want to do is reffered to as "Hairpin". I thought it would be a common requirement but I haven't had much luck finding solutions for IOS routers.
thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide