***Solved*** Split Tunnel networks not showing up on client PC - Router 3825 - DVTI ***Solved***
Attempting to create a remote access VPN for teleworker scenario using Cisco VPN Client on a laptop back to a Cisco 3825 router running (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M12a. I've done this many times on ASA platforms but not on a router.
I've added the internal networks the client will access via the tunnel in an ACL which is applied under the "crypto isakmp client configuration group IPSEC". I can see the routes in my Cisco VPN Client if I go to statistics > routes but I don't see them listed if I open up a command prompt and do a "route print". I would normally see these routes if I was connecting to an ASA but not here.
What's odd is that I can ping the PC from a router on the network (10.0.63.2) just fine but if I initiate a ping to the same router from the PC, it times out. If I do a trace route to the router, I show traffic not entering the tunnel. A packet capture further verifies this.
If I manually add a route on the PC for 10.0.63.0/30 with the default gateway of 192.168.254.1 then I can ping the router from the PC. What I need is for the routes to automatically update on the PC when connected to the 3825 just like when I connect to an ASA.
Here is a copy of the config on the router:
aaa new model aaa authentication login local_list local aaa authentication network local_list local ! object-group network LOCAL-LAN 10.0.61.0 255.255.255.0 10.0.62.0 255.255.255.0 10.0.63.0 255.255.255.252 ! class-map type inspect match-any INTERNET-TRAFFIC-CLASS match protocol http match protocol https match protocol dns match protocol icmp match protocol ntp match protocol ssh ! policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect INTERNET-TRAFFIC-CLASS inspect class class-default drop log ! zone security INSIDE zone security OUTSIDE zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group IPSEC key ****************************** pool VPN acl SPLIT-TUNNEL-LIST save-password netmask 255.255.255.240 ! crypto isakmp profile ISAKMP-PROFILE-1 match identity group IPSEC client authentication list local_list isakmp authorization list local_list client configuration address respond virtual-template 2 ! crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac ! crypto ipsec profile IPSEC-PROFILE-1 set transform-set AES-256-SHA ! interface GigabitEthernet0/0 ip address 10.0.63.1 255.255.255.252 ip nat inside ! interface GigabitEthernet0/1 ip address 18.104.22.168 255.255.255.0 ip nat outside zone-member security OUTSIDE no cdp enable ! interface Virtual-Template1 no ip address ! interface Virtual-Template2 type tunnel ip unnumbered GigabitEthernet0/1 zone-member security INSIDE tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE-1 ! ip local pool VPN 192.168.254.1 192.168.254.14 ! ip nat inside source list LAN-NAT interface GigabitEthernet0/1 overload ! ip access-list extended LAN-NAT permit ip object-group LOCAL-LAN any ip access-list extended SPLIT-TUNNEL-LIST permit ip 10.0.63.0 0.0.0.3 any permit ip 10.0.62.0 0.0.0.255 any permit ip 10.0.61.0 0.0.0.255 any <output omitted>
ISE 3.0 with patch level 3, licenses are showing as "Released for Entitlement" for all term based licenses. This is because of a bug CSCvz33870.I have tried all possibilities, including renewing registration, de registering, resetting, and updating from I...
This month, we're excited to bring awareness to a newly formed partnership between Cisco Secure and IBM.
Securing today's dynamic enterprise applications is critical. With hybrid and multi-cloud adoption, traditional network-based security ran into limita...
Listen: https://smarturl.it/CCRS8E42Follow us: twitter.com/CiscoChampion
APIClarity is an open source, cloud-native visibility tool for APIs. It utilizes a Service Mesh framework to capture and analyze API traffic and identify potential risks.
Hello everyone, A new video in the Cisco Secure Terraform Series has just been published. If you are interested in Infrastructure as Code, and Terraform, you don't want to miss out on this amazing series with Jason "Canadian Bacon" Maynard! Newe...
Whitepaper - Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall
Abstract / Introduction
There has been recent guidance from the United States National Security Agency (NSA...