08-16-2004 11:23 PM
Hi NetPros,
I've got a 836 wich connects via a Easy VPN to a VPN Concentrator 3005. At first I configured the router to tunnel everything, but after encountering serveral difficulties I decided to do split tunneling.
The Problem is:
After activating split tunneling the router does NAT automatically (not configured) for the destination, which are not to be reached through the tunnel.
Is there any possibility to deactivate this dynamic NAT?
Cheers
Olaf
08-17-2004 12:24 AM
I have the same problem. It seems there is no elegant way to do this. As a workaround:
interface Loopback10
ip address 10.1.1.1 255.255.255.255
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
ip policy route-map police
crypto ipsec client ezvpn client1 inside
interface FastEthernet0/1
ip address 172.16.1.5 255.255.255.0
crypto ipsec client ezvpn client1
access-list 123 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 123 permit ip 192.168.1.0 0.0.0.255 any
route-map police permit 10
match ip address 123
set interface Loopback10
I.e. policy route Internet traffic to the loopback10 which will not have "ip nat inside" defined by EzVPN.
Or, better call Cisco to enhance their EzVPN client.
HTH,
Oleg Tipisov,
REDCENTER,
Moscow
08-17-2004 12:33 AM
...I've got another workaround as well: ;-)
ip access-list extended vpn-in
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit ip 10.0.0.0 0.255.255.255 any
permit icmp 10.0.0.0 0.255.255.255 any
ip access-list extended vpn-out
permit ip any 10.0.0.0 0.255.255.255
permit icmp any 10.0.0.0 0.255.255.255
interface dialer 1
ip access-group vpn-in in
ip access-group vpn-out out
08-17-2004 12:38 AM
Wow! This workaround definitely works too ;) !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide