Have you configured split tunneling on the ASA?
With regards Kings On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff <[email protected]> wrote: > Hi All, > > I have configured EZVPN server on ASA and remote clien is IOS router. VPN > is able connect without any issue. But in remote clients are loosing the > internet connectivity, NAT translation becomes empty once I applied the > crypto ipsec ezvpn outside in dialer interfaces below is configuration of > router. > > =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 > =~=~=~=~=~=~=~=~=~=~=~= > sh run > Building configuration... > Current configuration : 2999 bytes > ! > ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 > ! > version 15.0 > service config > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > ! > hostname Router > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > ! > ! > ! > --More-- ! > ! > no ipv6 cef > ip source-route > ip cef > ! > ! > ! > ! > ! > ! > ! > ! > redundancy > ! > ! > ! > ! > ! > --More-- ! > crypto ipsec client ezvpn ASA > connect acl 105 > group aooman key hlg2oma@vpn > mode network-extension > peer 213.42.108.130 > username hlgoman password us@hlom > xauth userid mode local > ! > ! > ! > ! > ! > interface GigabitEthernet0/0 > ip address 10.10.10.1 255.255.255.0 > ip access-group 100 out > ip nat inside > ip virtual-reassembly > duplex auto > speed auto > crypto ipsec client ezvpn ASA inside > ! > ! > --More-- interface GigabitEthernet0/1 > no ip address > duplex auto > speed auto > pppoe enable group global > pppoe-client dial-pool-number 1 > no cdp enable > ! > ! > interface GigabitEthernet0/2 > no ip address > shutdown > duplex auto > speed auto > ! > ! > interface Dialer0 > no ip address > ! > ! > interface Dialer1 > ip address negotiated > ip access-group 101 in > --More-- ip mtu 1492 > ip nat outside > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp authentication chap pap callin > ppp chap hostname hlgoman > ppp chap password 7 15160D1A503A797C2E > ppp pap sent-username hlgoman password 7 06020937185E5B410357 > ppp ipcp dns request accept > ppp ipcp route default > ppp ipcp address accept > ! > ! > ip forward-protocol nd > ! > no ip http server > no ip http secure-server > ! > ip nat inside source route-map nonat interface Dialer1 overload > ip route 0.0.0.0 0.0.0.0 Dialer1 > --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 > ip route 172.23.2.0 255.255.255.0 10.10.10.2 > ! > ip access-list extended VPN_ACCESS > deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 > deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 > deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 > permit ip 172.23.1.0 0.0.0.255 any > permit ip 172.23.2.0 0.0.0.255 any > permit ip 10.10.10.0 0.0.0.255 any > ! > access-list 10 permit 172.23.2.0 0.0.0.255 > access-list 10 permit 172.23.1.0 0.0.0.255 > access-list 10 permit 10.10.10.0 0.0.0.255 > access-list 100 permit ip any any > access-list 101 permit ip any any > access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 106 permit ip 172.23.1.0 0.0.0.255 any > access-list 106 permit ip 172.23.2.0 0.0.0.255 any > access-list 106 permit ip 10.10.10.0 0.0.0.255 any > dialer-list 1 protocol ip permit > ! > ! > ! > ! > route-map EVPN permit 1 > match ip address 105 > ! > route-map nonat permit 10 > match ip address VPN_ACCESS > ! > ! > ! > control-plane > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > password 7 07062C584F0A485744 > login > ! > scheduler allocate 20000 1000 > --More-- end > Router# > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
