[c-nsp] VPN Question - IOS
Paul Stewart
paul at paulstewart.org
Tue Jul 22 09:39:45 EDT 2008
Hi there...
We have a remote access VPN configuration deployed on a 2800 router....
everything works great except I'd like to "force" VPN users to send all
their traffic via the VPN when connected. I'm missing something obvious I
believe...
Example would be once a VPN user is connected and opens an SSH session to a
router, I want that SSH session to come via the VPN router's IP address -
not their home IP address.
192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
was setup by a networking "expert" long before my time...:(
Config looks like this:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccess
key xxxxxxxxxxxxxxxx
dns xxxxxxxxxxxxxxxxxxx
wins xxxxxxxxxxxxxxxxx
domain xxxxxxxxxxxxxxxxxxx
pool VPNPool1
acl 100
save-password
include-local-lan
netmask 255.255.255.0
crypto isakmp profile VPN-Profile
match identity group RemoteAccess
client authentication list vpn_xauth1
isakmp authorization list vpn_group1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile
set transform-set ESP-3DES-SHA
set isakmp-profile VPN-Profile
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile
ip local pool VPNPool1 192.168.250.2 192.168.250.254
access-list 100 permit ip 192.192.61.0 0.0.0.255 any
access-list 100 permit ip 192.168.250.0 0.0.0.255 any
This has something to do with split tunneling and the ACL 100 but so far I
haven't got this working....
Thanks very much,
Paul
More information about the cisco-nsp
mailing list