07-25-2008 12:09 PM
Hi
I think I have some quite basic problem and I am just missing something stupid. Now I was wondering if you were able to help me.
I have a PATed network with one external IP address. Clients receive IP addresses and can access network ressources just fine. However, their internet connection drops.
I tried enabling split tunneling and it appears to work (the protected network shows up in the vpn client in statistics) and users are still able to access network resources. But still, no internet connection.
I have then checked with route print which is the default route. I found out, that it looks like the VPN client adds a default route to its network and therefore routes all traffic there.
I have removed that route in Windows and it appears the internet connection is restored, that would be ok like that.
Now I was wondering what I need to change in the router configuration so that this route won't get created at all - any ideas?
I posted my configuration below, some ip addresses and other not so important parts were blanked out.
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip name-server DNSSERVEREXTERNAL
ip name-server DNSSERVEREXTERNAL
!
!
crypto pki trustpoint TP-self-signed-3575738758
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3575738758
revocation-check none
rsakeypair TP-self-signed-3575738758
!
!
crypto pki certificate chain TP-self-signed-3575738758
certificate self-signed 01
...
quit
username ....
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group DefaultVpnUsers
key our.key
pool SDM_POOL_1
acl 100
split-dns our.domain
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface FastEthernet0
description $ETH-WAN$
ip address EXTERNAL_IP 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.20
ip route 0.0.0.0 0.0.0.0 EXTERNAL_IP
!
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.3 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.0.3 443 interface FastEthernet0 443
!
access-list 1 remark INSIDE_IF=Vlan10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.1
...
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.20
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
07-25-2008 12:15 PM
I forgot to say: the routes which are being created are
(Destination -> Mask -> Interface -> Metric)
0.0.0.0 -> 0.0.0.0 -> 192.68.2.2 -> 40
0.0.0.0 -> 0.0.0.0 -> 77.118.82.136 -> 41
Now if the route with the metric of 40 is deleted, everything works as expected. The 192.168.2.2 range is the one which is given out by the vpn server.
08-27-2008 06:25 PM
did you ever figure this out. i am having simular issues.
08-28-2008 06:44 AM
Hello,
I think you will have to modify acl used for split tunneling.Do not use "any" in the split tunnel acls and then try . This could be creating the default route.See the example below.
Split Tunneling
In order to enable split tunneling for the VPN connections, make sure you configure an access control list (ACL) on the router.
In this example, the access-list 102 command is associated with the group for split-tunneling purposes, and
the tunnel is formed to the 10.38.X.X /16 and 10.2.x.x networks.
Traffic flows unencrypted to devices not in ACL 102 (for example, the Internet).
access-list 102 permit ip 10.38.0.0 0.0.255.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.2.0.0 0.0.255.255 10.1.1.0 0.0.0.255
Apply the ACL on the group properties.
crypto isakmp client configuration group vpngroup
key cisco123
dns 10.2.1.10
wins 10.2.1.20
domain cisco.com
pool ippool
acl 102
ip local pool ippool 10.1.1.100 10.1.1.200
HTH
Saju
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide