cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
389
Views
1
Helpful
6
Replies
Highlighted
Beginner

VPN client to IOS router, central Internet access and CBAC

I am trying to set up the following requirement.

Remote users with Cisco VPN client software connect into an 877 router. Whilst connected to the VPN, users should have access to the Internet via the 877 and not by their local Internet connection using split tunneling.

To make sure this works I have set up policy routing on the WAN interface, if traffic from the VPN clients tries to go out this traffic is policy routed to a loopback interface which is configured for NAT inside. This allows the traffic to be translated before exiting the WAN interface.

This all works correctly however IP Inspect, which is configured outbound on the WAN interface, fails to create openings for this traffic and therefore the return traffic is blocked on the inbound access-list.

Does anybody know of a way to make this policy routed traffic be processed correctly by CBAC?

Regards

Colin

6 REPLIES 6
Highlighted
Frequent Contributor

check the following url for configuring the split tunnelling

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#maintask1

PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration.

Highlighted

Unfortunately split tunneling is not an option, all Internet traffic must go through the central site.

I have now upgraded to IOS 12.4(9)T1 and everything is now working, seems a bug has been fixed although I couldn't find a match in the bug toolkit.

Highlighted
Beginner

Colin,

I'm trying to do the same thing, and am having the same problems. Can you provide your config?

Thanks,

Matt

Highlighted

Hi Matt

Attached is the configuration.

Regards

Colin

Highlighted

This configuration has expired i believe, Can you repost or extend the expiration? Im interested in doing something similar as well. Thanks in advance.

Highlighted

The attachment works for me and there is still 11 months before it expires. Just click on the little icon to the left of the expiry date to download it.

Content for Community-Ad