[c-nsp] VPN Question - IOS

John Kougoulos koug at intracom.gr
Tue Jul 22 10:44:23 EDT 2008


Hello,

try removing the following lines:

acl 100
include-local-lan
netmask 255.255.255.0

The IP address that will be used is the one assigned by the pool VPNPool1, 
unless you configure some kind of NAT translation

BR,
John

On Tue, 22 Jul 2008, Paul Stewart wrote:

> Hi there...
>
> We have a remote access VPN configuration deployed on a 2800 router....
> everything works great except I'd like to "force" VPN users to send all
> their traffic via the VPN when connected.  I'm missing something obvious I
> believe...
>
> Example would be once a VPN user is connected and opens an SSH session to a
> router, I want that SSH session to come via the VPN router's IP address -
> not their home IP address.
>
> 192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
> was setup by a networking "expert" long before my time...:(
>
> Config looks like this:
>
> crypto isakmp client configuration group RemoteAccess
> key xxxxxxxxxxxxxxxx
> dns xxxxxxxxxxxxxxxxxxx
> wins xxxxxxxxxxxxxxxxx
> domain xxxxxxxxxxxxxxxxxxx
> pool VPNPool1
> acl 100
> save-password
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile VPN-Profile
>   match identity group RemoteAccess
>   client authentication list vpn_xauth1
>   isakmp authorization list vpn_group1
>   client configuration address respond
>   virtual-template 2
> !
>
>
> This has something to do with split tunneling and the ACL 100 but so far I
> haven't got this working....
>
> Thanks very much,
>
> Paul
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list