05-15-2013 11:11 AM
Hi, im trying to configure IPsec vpn profile that will tunnel all traffic thru VPN tunnel. This includes access to all Internet resources as well as Internet browsing traffic. So far i was able get individual traffic thru tunnel OK, but not both traffics thru tunnel at the same time.
able to access internal network but not the Internet:
tunnel-group TGN-AUS-3G type remote-access
tunnel-group TGN-AUS-3G general-attributes
address-pool TEST_SSL_IPSEC_POOL
authentication-server-group RADIUS-ACS
authentication-server-group (inside) RADIUS-ACS
secondary-authentication-server-group RADIUS-ACS
default-group-policy TGN-AUS-3G
password-management password-expire-in-days 2
tunnel-group TGN-AUS-3G ipsec-attributes
pre-shared-key *****
group-policy TGN-AUS-3G internal
group-policy TGN-AUS-3G attributes
dns-server value 10.2.4.11 10.9.6.11
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol IPSec
group-lock value TGN-AUS-3G
split-tunnel-policy tunnelall
default-domain value test.net
vlan none
address-pools value TEST_SSL_IPSEC_POOL
#####################
able to access Internet but not internal networks:
tunnel-group TGN-AUS-3G type remote-access
tunnel-group TGN-AUS-3G general-attributes
address-pool TEST_SSL_IPSEC_POOL
authentication-server-group RADIUS-ACS
authentication-server-group (inside) RADIUS-ACS
secondary-authentication-server-group RADIUS-ACS
default-group-policy TGN-AUS-3G
password-management password-expire-in-days 2
tunnel-group TGN-AUS-3G ipsec-attributes
pre-shared-key *****
group-policy TGN-AUS-3G internal
group-policy TGN-AUS-3G attributes
dns-server value 10.2.4.11 10.9.6.11
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol IPSec
group-lock value TGN-AUS-3G
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TGN-AUS-3G
default-domain value test.net
vlan none
address-pools value TEST_SSL_IPSEC_POOL
access-list TGN-AUS-3G standard permit any
Any ideas appreciated?
05-15-2013 01:02 PM
You want to do a full tunnel VPN then. Full tunnel VPN is the default. You will want to make sure that you have your NAT exemption policies setup correctly to allow the traffic from the internal subnets to your VPN subnet as well as having the correct NAT policy in place to allow VPN users to access the internet.
Try removing the split-tunnel configuration from both group policies.
05-16-2013 01:26 PM
Just tried with brand-new, wiyard driven remote access setup and still no luck. can access internal hosts but not the Internet.
Any ideas?
05-16-2013 01:39 PM
Hi,
You will have to make sure you have the "same-security-traffic permit intra-interface" configuration command in use. This will allow the traffic incoming on the "outside" interface to head out to Internet through "outside".
Naturally you also need NAT
If you have for example this PAT now
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
And your VPN pool is for example 192.168.10.0/24 then you need to add this
nat (outside) 1 192.168.10.0 255.255.255.0
That is usuallu what you need
- Jouni
Sent from Cisco Technical Support iPad App
05-16-2013 01:52 PM
Forgot to mention, im running 8.4(5) version of code.
05-16-2013 01:58 PM
Hi,
Then the format is something like this
object network VPN-NAT
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
Or
Object-group network VPN-NAT
network-object 192.168.10.0 255.255.255.0
nat (outside,outside) after-auto source dynamic VPN-NAT interface
Still need the other configuration command I mentioned.
- Jouni
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide