Announcement

Collapse
No announcement yet.

Split Tunneling Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Split Tunneling Problem

    Hi Guyz,

    I have a Cisco 857w Router, I configured Easy VPN Server and it works absolutely fine when i Enable Split Tunneling

    but i want that all the Internet traffic also travel through Easy VPN Server. Currently, internet traffic goes

    through the VPN Client connected site but my requirment is that all traffic should travel through Easy VPN Sever

    when i Disable Split Tunneling i am unable to connect my VPN Client and message comes that "Unable to Resolve Server

    Address" even i dont have any DNS Problem and moreover it works fine when i Enable Split Tunneling. I used these

    set of commands to Disable Split Tunneling:

    no access-list 100
    access-list 100 remark Split_Tunneling_VPN
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    crypto isakmp client configuration group vpnserver
    no acl 100
    exit

    Any suggestion to resolve this issue:

    Thanks and regards

    Kamal
    Kamal

  • #2
    Re: Split Tunneling Problem

    Kamal, please kindly send the whole config.

    Thank you

    Comment


    • #3
      Re: Split Tunneling Problem

      Hi Niltinho

      The important thing that i configured the VPN through SDM so i did not enter any CLI command for VPN from my side, except to enable nat on local pool for VPN Clients.

      The Whole config is as under:


      XxFaiqxX#sh run
      Building configuration...
      Current configuration : 7241 bytes
      !
      version 12.4
      no service pad
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname XxFaiqxX
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      !
      aaa new-model
      !
      !
      aaa authentication login default local
      aaa authentication login sdm_vpn_xauth_ml_1 local
      aaa authorization exec default local
      aaa authorization network sdm_vpn_group_ml_1 local
      !
      aaa session-id common
      !
      resource policy
      !
      clock timezone Dubai 4
      no ip dhcp use vrf connected
      ip dhcp excluded-address 192.168.10.10
      ip dhcp excluded-address 192.168.20.10
      !
      ip dhcp pool DHCP_SERVER
      import all
      network 192.168.10.0 255.255.255.0
      default-router 192.168.10.10
      dns-server 213.42.20.20 195.229.241.222
      lease 0 2
      !
      ip dhcp pool VLAN20
      import all
      network 192.168.20.0 255.255.255.0
      default-router 192.168.20.10
      dns-server 213.42.20.20 195.229.241.222
      lease 0 2
      !
      !
      ip cef
      ip name-server 213.42.20.20
      ip name-server 195.229.241.222
      ip ddns update method DynamicDNS
      HTTP
      add http://username[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
      remove http:// username[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
      !
      !
      !
      crypto pki trustpoint TP-self-signed-2662940796
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-2662940796
      revocation-check none
      rsakeypair TP-self-signed-2662940796
      !
      !
      crypto pki certificate chain TP-self-signed-2662940796
      certificate self-signed 01
      3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32363632 39343037 3936301E 170D3039 30333130 31303239
      32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36363239
      34303739 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100C9B5 1F5239F5 35825A1C 091E6264 3062F2D2 5F853E52 B88387F8 E6C17378
      934E1CFF 512039B9 878510AB 214BD9DD EB4D7C74 F12169D1 31E31F7B 31268FFC
      55FCC73F 7455DC88 8AEECD44 F70C2896 A1DFE0DE 90DB0A07 55552C28 BF01BC72
      6EAE2923 D4AB4CA0 139BB3CC C4873F91 EF8AD14F 4AA34547 7F4E5E9A D2644DE9
      7AFB0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
      551D1104 17301582 13587846 61697178 582E6661 69712E6C 6F63616C 301F0603
      551D2304 18301680 1430CA3C 416B5170 17A7DF37 E0DEC984 45469691 DC301D06
      03551D0E 04160414 30CA3C41 6B517017 A7DF37E0 DEC98445 469691DC 300D0609
      2A864886 F70D0101 04050003 81810094 8BD9ED16 F2FACC81 4A3EE67F 5EBCDEF5
      1C22C9CD C377295D D1C07F64 A4D8607C 75FD83CC 536302F6 E19A2F3C 101F404B
      48529549 876559C8 5ADB5269 12880FD9 EF84B53C 87435F5F D29D2FBB 6E0C2DC1
      62BAC960 141071F5 95B9F78A 11C22A03 3906B10A 97393930 EB8F4849 0C278B11
      D289D152 6516C0CE 6F237A85 9C07AE
      quit
      username admin privilege 15 secret 5 $1$Rlx6$yxA3vDkGOM.DpUggL7Ke9/
      !
      !
      !
      crypto isakmp policy 2
      encr aes
      authentication pre-share
      group 2
      !
      crypto isakmp client configuration group vpnserver
      key cisco
      dns 213.42.20.20 195.229.241.222
      pool SDM_POOL_1
      acl 100
      group-lock
      include-local-lan
      max-users 5
      netmask 255.255.255.0
      crypto isakmp profile sdm-ike-profile-1
      match identity group vpnserver
      isakmp authorization list sdm_vpn_group_ml_1
      client configuration address respond
      virtual-template 1
      !
      !
      crypto ipsec transform-set kamal_sha_aes esp-aes esp-sha-hmac
      !
      crypto ipsec profile SDM_Profile1
      set transform-set kamal_sha_aes
      set isakmp-profile sdm-ike-profile-1
      !
      !
      bridge irb
      !
      !
      interface ATM0
      no ip address
      no atm ilmi-keepalive
      dsl operating-mode auto
      !
      interface ATM0.1 point-to-point
      no snmp trap link-status
      pvc 0/50
      pppoe-client dial-pool-number 1
      !
      !
      interface FastEthernet0
      spanning-tree portfast
      !
      interface FastEthernet1
      spanning-tree portfast
      !
      interface FastEthernet2
      spanning-tree portfast
      !
      interface FastEthernet3
      spanning-tree portfast
      !
      interface Virtual-Template1 type tunnel
      ip unnumbered BVI10
      tunnel mode ipsec ipv4
      tunnel protection ipsec profile SDM_Profile1
      !
      interface Dot11Radio0
      no ip address
      !
      encryption vlan 1 mode ciphers tkip
      !
      encryption vlan 20 mode ciphers tkip
      !
      ssid Faiq
      vlan 1
      authentication open
      authentication key-management wpa
      wpa-psk ascii 0 0508580118
      !
      ssid Mahdi
      vlan 20
      authentication open
      authentication key-management wpa
      guest-mode
      wpa-psk ascii 0 0508580118
      !
      speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
      channel 2462
      station-role root
      no dot11 extension aironet
      no cdp enable
      !
      interface Dot11Radio0.1
      description Faiq Wireless LAN Access to Mahdi WLAN (192.168.20.0)
      encapsulation dot1Q 1 native
      no snmp trap link-status
      no cdp enable
      bridge-group 1
      bridge-group 1 subscriber-loop-control
      bridge-group 1 spanning-disabled
      bridge-group 1 block-unknown-source
      no bridge-group 1 source-learning
      no bridge-group 1 unicast-flooding
      !
      interface Dot11Radio0.20
      description Mahdi Wireless LAN - Denied to Faiq WLAN (192.168.10.0)
      encapsulation dot1Q 20
      ip address 192.168.20.10 255.255.255.0
      ip access-group denied_Faiq in
      ip nat inside
      ip virtual-reassembly
      no snmp trap link-status
      no cdp enable
      !
      interface Vlan1
      description Vlan1 is Bridged to BVI10 (Integrated Routing and Bridging)
      no ip address
      ip virtual-reassembly
      ip tcp adjust-mss 1412
      bridge-group 10
      !
      interface Dialer0
      ip ddns update hostname xxx.dyndns.org
      ip ddns update DynamicDNS
      ip address negotiated
      ip mtu 1452
      ip nat outside
      ip virtual-reassembly
      encapsulation ppp
      dialer pool 1
      dialer-group 1
      no cdp enable
      ppp authentication chap pap callin
      ppp chap hostname username
      ppp chap password 0 password
      ppp pap sent-username username password 0 password
      ppp ipcp dns request
      ppp ipcp address accept
      !
      interface BVI10
      ip address 192.168.10.10 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      !
      ip local pool SDM_POOL_1 192.168.30.10 192.168.30.20
      ip route 0.0.0.0 0.0.0.0 Dialer0
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat inside source list 1 interface Dialer0 overload
      ip nat inside source static tcp 192.168.10.2 3389 interface Dialer0 3389
      !
      ip access-list extended denied_Faiq
      deny ip any 192.168.10.0 0.0.0.255
      permit ip any any
      !
      access-list 1 remark NAT_Enable_192.168.10.10
      access-list 1 permit 192.168.10.0 0.0.0.255
      access-list 1 remark NAT_Enable_192.168.20.10
      access-list 1 permit 192.168.20.0 0.0.0.255
      access-list 1 remark NAT_Enable_192.168.30.10
      access-list 1 permit 192.168.30.0 0.0.0.255
      access-list 100 remark Split_Tunneling_VPN
      access-list 100 permit ip 192.168.10.0 0.0.0.255 any
      dialer-list 1 protocol ip permit
      no cdp run
      !
      control-plane
      !
      bridge 10 protocol ieee
      bridge 10 route ip
      banner login ^CHop into the World of Goongloos^C
      !
      line con 0
      logging synchronous
      no modem enable
      line aux 0
      line vty 0 4
      logging synchronous
      transport input telnet ssh
      !
      scheduler max-task-time 5000
      end
      Kamal

      Comment


      • #4
        Re: Split Tunneling Problem

        I forget to Write that this is my absolutely fine working running configuration but when i Disable the Split Tunneling from the SDM then it copies the following commands to the running config:

        no access-list 100
        access-list 100 remark Split_Tunneling_VPN
        access-list 100 permit ip 192.168.10.0 0.0.0.255 any
        crypto isakmp client configuration group vpnserver
        no acl 100
        exit
        Kamal

        Comment

        Working...
        X