[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1574
  • Last Modified:

Cisco ROUTER, l2tp vpn CLIENT, with split tunnel with isolated vpn clients

I have a 2811 running ios 15.x.  Note, this is NOT an ASA, so the split-tunnel option is not available to me.  

Internal LAN: 10.0.250.0/24
VPN clients: 10.0.249.0/24

How do I configure split tunnel so I can access the 10.0.249.x VPN clients can access the 10.0.250.0/24 subnet, without using the router as the remote gateway for other Internet traffic?

If I am able to ping 10.0.250.10, I also end up using the router's gateway for all traffic from a VPN client.

If I uncheck "Use default gateway" in the IP Settings for the VPN connection (using Windows client), I can ping the VPN gateway (10.0.249.1), but I can't get to 10.0.250.0/24.

I'm trying to accomplish this without forcing users to manually add/delete routes on their local PC.
0
snowdog_2112
Asked:
snowdog_2112
  • 2
  • 2
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
Unfortunately, L2TP access VPNs just don't have that functionality. You can either direct all traffic across the VPN or split tunnel across a classful boundary, but there are no other options available short of manipulating routes at the client side.

Based on your requirements, I would consider using the AnyConnect SSL VPN client instead. It will give you full split tunneling capability and requires almost no configuration of client machines. The client software even installs itself when the user makes initial connection.
0
 
snowdog_2112Author Commented:
Is there a doc on configuring AnyConnect on the IOS Router (I've done several on ASA's, but clearly the config is different vis a vis RA-Clients between ASA and IOS).
0
 
Jody LemoineNetwork ArchitectCommented:
Cisco has a really good document that includes both AnyConnect VPN configuration and Zone-based Policy Firewall configuration here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-vpn-client/111891-anyconnect-ios-zbpf-config.html
0
 
snowdog_2112Author Commented:
haven't had a chance to try it out.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now