cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2144
Views
0
Helpful
4
Replies

SSL VPN on IOS, No Split Tunnel

xpresso01
Level 1
Level 1

I've configured SSL VPN on an 1811 router running 12.4(9) IOS. I'm using the full SSL VPN client and do not want to split tunnel the traffic. I can reach my inside resources just fine, but I can not reach sites on the Internet. I want to tunnel my Internet traffic to the router and then have it hairpin out the same interface.

I've successfully configured this type of hairpinning on an ASA for SSL VPN, but have yet to find a way to do it in IOS. Does anyone have a sample config or suggestions?

4 Replies 4

amritpatek
Level 6
Level 6

Make use of the document "SSL VPN Client (SVC) on IOS with SDM Configuration Example"

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml

Thanks. I've followed these instructions before, but the result was the same for me. I can reach internal resources, but hairpinning my traffic back out the outside interface to the Internet does not work. I'm still wondering if anyone actually has this operating in the way that I've described within their production environment.

well according to the logic used for the bringing the traffic to the asa outside interface

what i did is natted the local pool traffic on the outside interface as well

so same concept if we use on the CISCO IOS also we can solve

ip nat outside source static "local-pool-network" intrface "outside-interface" overload

See if this helps..

can you please post ur configuration as I am unable to access the resources inside from the ssl vpn users..I dont want to bring the internet traffic towards the router but only the local lan traffic from remote ssl vpn users.

Regards,

jvalin

guibarati
Level 4
Level 4

For the traffic to be natted on IOS it must traverse from inside to outside nat interface (or nat enabled interfaces)

You can try create a loopbak and set it as nat inside, direct the traffic from VPN to the loopback as nexthop, it the traffic is to go to inside the router will do that automaticaly, it it's to go to outside it will nat it.

You could use a policy-routing.

Not sure it will work, but worked for me on seemed situations.

Let us know if worked and rate the post...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: