LAN to LAN VPN with internet access?

Check the 837 config has an access list permitting the internal network access to the outside.

This link may help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

If not, could you post up the 837 config ?

(it's unlikely to be a VPN 3000 issue)

It should all be handled in the access-list that you use to define the interesting traffic that goes through the tunnel..
If you have an ipsec policy with a "match address xxx" the xxx is an access list.
 You might have something like
  access-list 101 permit ip any <remote lan> mask

 Where you should have
    access-list 101 permit ip <local lan> mask <remote lan> mask

Hi All

The current 837 config is as follows. I can get the tunnel up and I can get the hardphone to talk to the CCM server without a problem. I just don't know what I need to do to enable pc's at the 837 end to access the internet. Any ideas where I am going wrong?

Current configuration : 2747 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret *******
enable password *****
!
username ***** privilege 15 secret *******
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name yourdomain.com
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key ****** address ***.***.19.20
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer ***.***.19.20
 set transform-set SDM_TRANSFORMSET_1
 match address 100
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 10.1.4.254 255.255.255.0
 ip helper-address 10.1.1.10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address ***.***.237.97 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname **********
 ppp chap password 0 ********
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password *****
 login
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end

Thanks big time, your a lifesaver. Everything is working perfectly now.

You are most welcome. Glad to help..