cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
478
Views
0
Helpful
1
Replies
Tyson Joachims
Rising star

***Solved*** Split Tunnel networks not showing up on client PC - Router 3825 - DVTI ***Solved***

Attempting to create a remote access VPN for teleworker scenario using Cisco VPN Client on a laptop back to a Cisco 3825 router running (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M12a. I've done this many times on ASA platforms but not on a router.

I've added the internal networks the client will access via the tunnel in an ACL which is applied under the "crypto isakmp client configuration group IPSEC". I can see the routes in my Cisco VPN Client if I go to statistics > routes but I don't see them listed if I open up a command prompt and do a "route print". I would normally see these routes if I was connecting to an ASA but not here.

What's odd is that I can ping the PC from a router on the network (10.0.63.2) just fine but if I initiate a ping to the same router from the PC, it times out. If I do a trace route to the router, I show traffic not entering the tunnel. A packet capture further verifies this.

If I manually add a route on the PC for 10.0.63.0/30 with the default gateway of 192.168.254.1 then I can ping the router from the PC. What I need is for the routes to automatically update on the PC when connected to the 3825 just like when I connect to an ASA.

Here is a copy of the config on the router:

aaa new model
aaa authentication login local_list local
aaa authentication network local_list local
!
object-group network LOCAL-LAN
10.0.61.0 255.255.255.0
10.0.62.0 255.255.255.0
10.0.63.0 255.255.255.252
!
class-map type inspect match-any INTERNET-TRAFFIC-CLASS
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match protocol ssh
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect INTERNET-TRAFFIC-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-OUTSIDE-POLICY
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group IPSEC
 key ******************************
 pool VPN
 acl SPLIT-TUNNEL-LIST
 save-password
 netmask 255.255.255.240
!
crypto isakmp profile ISAKMP-PROFILE-1
match identity group IPSEC
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE-1
set transform-set AES-256-SHA
!
interface GigabitEthernet0/0
 ip address 10.0.63.1 255.255.255.252
 ip nat inside
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
ip nat outside
zone-member security OUTSIDE
no cdp enable
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/1
zone-member security INSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE-1
!
ip local pool VPN 192.168.254.1 192.168.254.14
!
ip nat inside source list LAN-NAT interface GigabitEthernet0/1 overload
!
ip access-list extended LAN-NAT
 permit ip object-group LOCAL-LAN any
ip access-list extended SPLIT-TUNNEL-LIST
 permit ip 10.0.63.0 0.0.0.3 any
 permit ip 10.0.62.0 0.0.0.255 any
 permit ip 10.0.61.0 0.0.0.255 any
<output omitted>
1 REPLY 1
Tyson Joachims
Rising star

For some reason the split tunnel will not work if you use a named access list. I changed to the following and the routes showed up on the PC

<output omitted>
crypto isakmp client configuration group IPSEC
acl 101
<output omitted>
access-list 101 extended 10.0.63.0 0.0.0.3 any
access-list 101 extended 10.0.62.0 0.0.0.255 any
access-list 101 extended 10.0.61.0 0.0.0.255 any
<output omitted>
Create
Recognize Your Peers
Content for Community-Ad