10-20-2014 04:04 AM
Hi,
I am using Cisco AWS router with version 15.4. I have set up a Remote access VPN and its working fine with split tunneling but if I set up a VPN to tunnel all the traffic (Including Internet) its not working means I am not able to access internet.
Internal Network - 10.0.1.0 0.0.0.255
VPN Poool - 192.168.10.2 - 192.168.10.10
External interface - GigabitEthernet1
Inside Interface - GigabitEthernet2
crypto isakmp policy 12
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group awcvpn
key Cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map awpmap client authentication list vpnauthn
crypto map awpmap isakmp authorization list vpnauthr
crypto map awpmap client configuration address respond
crypto map awpmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface VirtualPortGroup0
ip unnumbered GigabitEthernet1
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
negotiation auto
crypto map awpmap
!
interface GigabitEthernet2
ip address 10.0.1.105 255.255.255.0
ip nat inside
negotiation auto
!
!
virtual-service csr_mgmt
!
ip local pool vpnpool 192.168.10.2 192.168.10.10
ip nat inside source list 111 interface GigabitEthernet1 overload
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
access-list 111 deny ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 permit ip 10.0.1.0 0.0.0.255 any
access-list 111 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
access-list 144 permit ip 192.168.10.0 0.0.0.255 any
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
10-30-2014 03:02 AM
What is IP 10.11.0.2 assigned to?
Without knowing the acctual circumstances I would suggest first removing the route-map from the Gig1 interface, or at least makeing ACL 144 more specific than having any as the destination.
--
Please remember to select a correct answer and rate helpful posts
10-30-2014 03:51 AM
Hi Marius,
Thank you for the reply.
10.11.0.2 is not assigned to anything. I was just following this doc.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
About that IP, One guy says that we can use any IP. I am also confused there.......
10-30-2014 04:22 AM
Is this your full configuration or have you left some config out?
If this is your whole config then you need to add a default route:
ip route 0.0.0.0 0.0.0.0 dhcp
try adding that and then test. Let us know how it goes
--
Please remember to select a correct answer and rate helpful posts
10-31-2014 03:57 AM
Its a virtual router in Amazon cloud and default route is already present
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 10.0.0.1
12-06-2018 12:12 PM
Were you able to get this resolved?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide