Setting up non split-tunneling access

endpoint · ‎05-15-2013

Hi, im trying to configure IPsec vpn profile that will tunnel all traffic thru VPN tunnel. This includes access to all Internet resources as well as Internet browsing traffic. So far i was able get individual traffic thru tunnel OK, but not both traffics thru tunnel at the same time.

able to access internal network but not the Internet:

tunnel-group TGN-AUS-3G type remote-access

tunnel-group TGN-AUS-3G general-attributes

address-pool TEST_SSL_IPSEC_POOL

authentication-server-group RADIUS-ACS

authentication-server-group (inside) RADIUS-ACS

secondary-authentication-server-group RADIUS-ACS

default-group-policy TGN-AUS-3G

password-management password-expire-in-days 2

tunnel-group TGN-AUS-3G ipsec-attributes

pre-shared-key *****

group-policy TGN-AUS-3G internal

group-policy TGN-AUS-3G attributes

dns-server value 10.2.4.11 10.9.6.11

vpn-access-hours none

vpn-simultaneous-logins 1

vpn-idle-timeout 30

vpn-session-timeout none

vpn-tunnel-protocol IPSec

group-lock value TGN-AUS-3G

split-tunnel-policy tunnelall

default-domain value test.net

vlan none

address-pools value TEST_SSL_IPSEC_POOL

#####################

able to access Internet but not internal networks:

tunnel-group TGN-AUS-3G type remote-access

tunnel-group TGN-AUS-3G general-attributes

address-pool TEST_SSL_IPSEC_POOL

authentication-server-group RADIUS-ACS

authentication-server-group (inside) RADIUS-ACS

secondary-authentication-server-group RADIUS-ACS

default-group-policy TGN-AUS-3G

password-management password-expire-in-days 2

tunnel-group TGN-AUS-3G ipsec-attributes

pre-shared-key *****

group-policy TGN-AUS-3G internal

group-policy TGN-AUS-3G attributes

dns-server value 10.2.4.11 10.9.6.11

vpn-access-hours none

vpn-simultaneous-logins 1

vpn-idle-timeout 30

vpn-session-timeout none

vpn-tunnel-protocol IPSec

group-lock value TGN-AUS-3G

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TGN-AUS-3G

default-domain value test.net

vlan none

address-pools value TEST_SSL_IPSEC_POOL

access-list TGN-AUS-3G standard permit any

Any ideas appreciated?

jj27 · ‎05-15-2013

You want to do a full tunnel VPN then. Full tunnel VPN is the default. You will want to make sure that you have your NAT exemption policies setup correctly to allow the traffic from the internal subnets to your VPN subnet as well as having the correct NAT policy in place to allow VPN users to access the internet.

Try removing the split-tunnel configuration from both group policies.

endpoint · ‎05-16-2013

Just tried with brand-new, wiyard driven remote access setup and still no luck. can access internal hosts but not the Internet.

Any ideas?

Jouni Forss · ‎05-16-2013

Hi,

You will have to make sure you have the "same-security-traffic permit intra-interface" configuration command in use. This will allow the traffic incoming on the "outside" interface to head out to Internet through "outside".

Naturally you also need NAT

If you have for example this PAT now

global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0

And your VPN pool is for example 192.168.10.0/24 then you need to add this

nat (outside) 1 192.168.10.0 255.255.255.0

That is usuallu what you need

- Jouni

Sent from Cisco Technical Support iPad App

endpoint · ‎05-16-2013

Forgot to mention, im running 8.4(5) version of code.

Jouni Forss · ‎05-16-2013

Hi,

Then the format is something like this

object network VPN-NAT
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

Or

Object-group network VPN-NAT
network-object 192.168.10.0 255.255.255.0

nat (outside,outside) after-auto source dynamic VPN-NAT interface

Still need the other configuration command I mentioned.

- Jouni

Sent from Cisco Technical Support iPad App