cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
1
Helpful
6
Replies

VPN client to IOS router, central Internet access and CBAC

colin10086
Level 1
Level 1

I am trying to set up the following requirement.

Remote users with Cisco VPN client software connect into an 877 router. Whilst connected to the VPN, users should have access to the Internet via the 877 and not by their local Internet connection using split tunneling.

To make sure this works I have set up policy routing on the WAN interface, if traffic from the VPN clients tries to go out this traffic is policy routed to a loopback interface which is configured for NAT inside. This allows the traffic to be translated before exiting the WAN interface.

This all works correctly however IP Inspect, which is configured outbound on the WAN interface, fails to create openings for this traffic and therefore the return traffic is blocked on the inbound access-list.

Does anybody know of a way to make this policy routed traffic be processed correctly by CBAC?

Regards

Colin

6 Replies 6

wong34539
Level 6
Level 6

check the following url for configuring the split tunnelling

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#maintask1

PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration.

Unfortunately split tunneling is not an option, all Internet traffic must go through the central site.

I have now upgraded to IOS 12.4(9)T1 and everything is now working, seems a bug has been fixed although I couldn't find a match in the bug toolkit.

jvtechnical
Level 1
Level 1

Colin,

I'm trying to do the same thing, and am having the same problems. Can you provide your config?

Thanks,

Matt

Hi Matt

Attached is the configuration.

Regards

Colin

This configuration has expired i believe, Can you repost or extend the expiration? Im interested in doing something similar as well. Thanks in advance.

The attachment works for me and there is still 11 months before it expires. Just click on the little icon to the left of the expiry date to download it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: