Hi All, Last night I setup a scenario where I added Split Tunneling to the remote access policy by adding "ipsec:inacl=ST" as a cisco-av-pair in the group (thanks Karthik for your pointer!). I was able to see the Split Tunnel routes in my VPN client, but I found that my remote access host was not getting the necessary route to reach this network. I assigned my VPN Pool to be in the 10.10.10.x /24 range, and the host successfully got an address in this range, but the only route provided through the VPN was a route toward my Split Tunnel subnet toward a GW of 10.0.0.1, which doesn't exist anywhere. It looks as though something did classful summarization and made up a gateway host address.
Couple questions: - Anyone know what that occurred? - How do we specify a route to be added to the remote access VPN policy from within ACS? ....another RADIUS AV pair i'm guessing. Thanks, Jason On Fri, Sep 7, 2012 at 1:14 AM, Karthik sagar <[email protected]> wrote: > Yes, this is how it is designed. The Router sends the "vpn-group/cisco" as > username/password to the ACS server. The actual vpn-group-password is then > validated against "tunnel-pre-shared-key " attribute in the profile. This > method is to be used only with IOS/RADIUS. > > With the ASA, the ACS profile will have the actual > "vpn-group/vpn-group-password" as username/password. > > Why was it designed this way ? No idea :-) If anybody knows why, please > share.. > > Regards, > Karthik > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
