You need to exempt vpn traffic from NAT, as you probably know but it will not work the way you have configured it.

First, the route-map should not be on the same interface as the crypto-map, only on the inside interface.

Second, the loopback should not be configured as NAT inside, the whole idea with this workaround is NOT to NAT.

Third, the acl:s that you use in the route-map are wrong, they should look like this:

access-list 147 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

!

route-map vpn-client permit 10

match ip address 147

set interface Loopback0

And depending on what ios version you have, you can maybe use static translations with route-maps instead.

first, THANK YOU!!!!!!!! it worked. My question is, since i have multiple networks inside, if I want to allow traffic from the VPM to other internal networks would i simply do something like this:

access-list 148 permit ip 172.16.0.0 0.0.0.255 192.168.5.0 0.0.0.0

then add one line on my route map

match ip address 148

Ryan,

the easiest thing to do is to add each new network to the same acl, then you can keep the route-map unchanged.

If you add a new acl to the existing route-map, make sure that you add it to the same match command, and not as a separate statement, like this "match ip address 147 148".

You can also have a separate route-map for each internal interface.

I am glad it helped.

it works!!!!. Thanks a lot for ur help!. I do have one more question. Is there a way to allow for access to the internet thru the vpn(not like split tunneling)

That is kind of unusual, and definitely a waste of bandwidth.

When you have a central proxy for internet access it is common to let vpn users pass through that as well, to enforce a security policy. But without a proxy there is no point in my opinion.

But if you really want to I suppose you can try and attach another route-map to the "outside" interface and redirect vpn-traffic that is NOT for the internal network, to another loopback interface, that has "nat inside" configured. Adjust NAT rules accordingly.

heres what i added to try to get the vpn to also handle internet traffic

int loopback1

ip address 10.12.0.1 255.255.255.0

ip nat inside

access-list 149 permit ip any 192.168.5.0 0.0.0.255

route-map vpn-clientout permit 10

match ip address list 149

set interface loopback1

for my natting i set up a pool with the external ip of my outside interface called for195

ip nat inside source list 146 pool for195 overload

i also added this to my outside interface

ip policy route-map vpn-clientout

What am i missing?

In theory, the acl should look like this:

access-list 149 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 149 permit ip 192.168.5.0 0.0.0.255 any

However, I am not sure if this will work, and I have never tested it.

I tried making deny statements for the local networks and adding the ermit line as u said. Was not able to get on the internet. I understand if this isnt doable its kinda a convience thing. You have been extremely helpful in getting the vpn to work as it should with regards to accessing local resoruces on my remote network.

i didnt have the nat set up for my outside routemap. It works like a charm now. Thanks! Only remaining issue is I cannot seem to get to work access to my local lan. I have checked the option in the vpn client however it still shows disabled under the vpn stats once i connect. Is there something i need to add on the router side to explicitely allow this?

I am not sure of how to do this in IOS, it is easy on a PIX/ASA.

You can try to use a split tunnel, but in a different way. Use an acl that deny the local lan network and permit everything else (0.0.0.0/0) and add as a split tunnel acl.