AnyConnect: How to route ALL traffic over VPN

Similar Questions

• Try to send all traffic over VPN

  Hello

  I have a Cisco 871 router on my home cable modem connection. I am trying to set up a VPN, and I want to send all traffic over the VPN from connected clients (no split tunnel).

  I can connect to the VPN and I can ping/access resources on my home LAN when I'm remote but access to the internet channels.

  If its possible I would have 2 Configuration of profiles according to connection 1 connection sends all traffic to the vpn and the connection on the other split tunneling but for now, I'd be happy with everything just all traffic go via the VPN.

  Here is my config.

  10.10.10.xxx is my home network inside LAN

  10.10.20.xxx is the IP range assigned when connecting to the VPN

  FastEthernet4 is my WAN interface.

  Kernel #show run
  Building configuration...

  Current configuration: 4981 bytes
  !
  version 12.4
  service configuration
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname-Core
  !
  boot-start-marker
  boot-end-marker
  !
  Security of authentication failure rate 3 log
  Passwords security min-length 6
  forest-meter operation of syslog messages
  no set record in buffered memory
  enable secret 5 XXXXX
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint Core_Certificate
  enrollment selfsigned
  Serial number no
  IP address no
  crl revocation checking
  rsakeypair 512 Core_Certificate_RSAKey
  !
  !
  string Core_Certificate crypto pki certificates
  certificate self-signed 01
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit smoking
  dot11 syslog
  no ip source route
  !
  !
  !
  !
  IP cef
  no ip bootp Server
  name of the IP-server 75.75.75.75
  name of the IP-server 75.75.76.76
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  password username privilege 15 7 XXXXXXXXXXXXX XXXXXXXX
  username secret privilege 15 XXXXXXXX XXXXXXXXXXXXX 5
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP client configuration main group
  key to XXXXXXX
  DNS 75.75.75.75 75.75.76.76
  pool SDM_POOL_3
  Max-users 5
  netmask 255.255.255.0
  ISAKMP crypto ciscocp-ike-profile-1 profile
  main group identity match
  client authentication list ciscocp_vpn_xauth_ml_1
  ISAKMP authorization list ciscocp_vpn_group_ml_1
  client configuration address respond
  virtual-model 1
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  Profile of crypto ipsec CiscoCP_Profile1
  game of transformation-ESP-3DES-SHA
  set of isakmp - profile ciscocp-ike-profile-1
  !
  !
  Crypto ctcp port 64444
  Archives
  The config log
  hidekeys
  !
  !
  synwait-time of tcp IP 10
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  property intellectual ssh version 1
  !
  !
  !
  Null0 interface
  no ip unreachable
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  Description $ETH - WAN$ $FW_OUTSIDE$
  address IP dhcp client id FastEthernet4
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  type of interface virtual-Template1 tunnel
  Description $FW_INSIDE$
  IP unnumbered FastEthernet4
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  ipv4 ipsec tunnel mode
  Tunnel CiscoCP_Profile1 ipsec protection profile
  !
  interface Vlan1
  Description $FW_INSIDE$
  IP 10.10.10.1 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  !
  local IP SDM_POOL_1 10.10.30.10 pool 10.10.30.15
  local IP SDM_POOL_2 10.10.10.80 pool 10.10.10.85
  local IP SDM_POOL_3 10.10.20.10 pool 10.10.20.15
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 permanent FastEthernet4
  IP http server
  access-class 2 IP http
  local IP http authentication
  no ip http secure server
  !
  !
  the IP nat inside source 1 list the interface FastEthernet4 overload
  !
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 10.10.5.0 0.0.0.255
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 2 Note HTTP access class
  Note access-list category 2 CCP_ACL = 1
  access-list 2 allow 10.10.10.0 0.0.0.255
  access-list 2 refuse any
  not run cdp

  !
  !
  !
  !
  !
  control plan
  !
  connection of the banner ^ CThis is a private router and all access is controlled and connected. ^ C
  !
  Line con 0
  no activation of the modem
  telnet output transport
  line to 0
  telnet output transport
  line vty 0 4
  access-class 2
  entry ssh transport
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  Kernel #.

  Thanks for your help!

  Hi Joseph,.

  You need a configuration like this:

  customer pool: 10.10.20.0

  local networkbehind router: 10.10.10.0

  R (config) #ip - list extended access 101
  R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
  R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

  type of interface virtual-Template1 tunnel
  Description $FW_INSIDE$
  political IP VPN route map

  R (config) #ip - list extended access 103
  R (config-ext-nacl) #permit ip all 10.10.20.0 0.0.0.255

  R (config) #route - map allowed VPN 10
  Ip address of R #match (config-route-map) 101
  R (config-route-map) #set interface loopback1
  R (config) #route - map allowed VPN 20
  Ip address of R #match (config-route-map) 103
  R (config-route-map) #set interface loopback1

  You must now exonerated NAT for VPN traffic:

  ===================================

  R (config) #ip - 102 extended access list
  R #deny (config-ext-nacl) ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
  R (config-ext-nacl) 10.10.10.0 ip #permit 0.0.0.255 any
  R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
  R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

  overload of IP nat inside source list 102 interface FastEthernet4

  Let me know if this can help,

  See you soon,.

  Christian V

• How to block all traffic except vpn traffic and traffic bureau HQ

  Hello

  Someone please advise me how to block all traffic except inbound traffic through the VPN and traffic from the IP of the HQ Office.

  My router is 881/K9 Cisco router. Currently, I have blocked all IP addresses with the exception of the IP Office HQ using access-list on the brance office website.

  I put the IP list allowed according to IP location of the VPN user. But now the VPN user become more and more and thus be difficult to block the IPs based on their current location. Sometimes not possible to know their WAN ip address.

  Thanks in advance.

  Have you considered allowing the IPSEC IP Protocol, TCP port, intellectual property all UDP ports and then by blocking all other traffic?

• Tunnel of RV042 V3 that routes all traffic to the VPN

  Hi all

  I use Cisco Linksys RV-042 with V2 hardware to set up a VPN tunnel that route all traffic to the remote gateway (a Cisco ASA 5510). This configuration works very well, and I can access the local router and other resources to the central site.

  I'm doing the same thing with Cisco RV042 with version V3 of the material, but I can't access the local router until the VPN breaks down. I can ' ping, SNMP the local router, or access but I can access the central site. Very strange.

  Do you know what can I do to access the router local (for example, hardware V2) with connected VPN?

  Thank you

  Rafael

  Just a hunch, but in the remote network you agree with what the network and subnet?

  I've seen this symptom before.

  LAN on the RV series.

  10.10.2.0 255.255.255.0

  Trust remote networks

  10.10.1.0 255.255.248.0

  It is traffic destined to the router on the 10.10.2.1 ip address is through the tunnel forward. So, for this purpose, you can only access the router LAN interface when the tunnel is out of service. I'm not sure why ping works but it does. I'm looking into this symptom on a different device, but the device has a similar graphical interface.

  I would like to know if you have a similar setup.

  Cisco Small Business Support Center

  Randy Manthey

  CCNA, CCNA - security

• How to send all traffic through the VPN, RV082 material v3

  Hello

  I found this guide to send all traffic to RV042 branch to the RV082 of central office:

  https://supportforums.Cisco.com/servlet/JiveServlet/downloadBody/10261-102-1-22927/Small_Business_router_tunnel_Branch_to_Main.doc

  But this guide is for the material of v2. I tried and did not work, so I wonder if there are new modules for hardware v3 (firmware v4.2)

  I have a RV042 brach office connected through the VPN Tunnel work to a central office RV082. I want to route all traffic

  Office of brach in the RV082 from the central office.

  Thank you very much

  Oliver

  Hi Oliver, this is called esp wildcard forwarding (full tunnel).

  Here are a few useful topics

  https://supportforums.Cisco.com/message/3766661

  https://supportforums.Cisco.com/message/3816181

  -Tom
  Please mark replied messages useful

• route all traffic through wrt openVpn 1900ac Server

  Hi all

  I have been on this issue for a while now and I did not see any thread here who could help me

  so, if this has been asked before I'm sorry...

  so my question are as follows:

  1 is it still possible to route all traffic to my (and get my public ip address of router) when it is connected to its virtual private network?

  2. If possible, please explain how.

  3. If is not possible with the can firmware OEM I use others supporting it?

  Thank you very much in advance

  Liran

  The firmware Linksys OpenVPN solution allows access to your network resources, but there is no Internet connection.

  Instead, you need to use OpenWRT firmware:

  http://wiki.OpenWrt.org/Toh/Linksys/wrt1900ac

• How to apply internet traffic in VPN tunnel users

  Hello

  Perhaps it is a simple matter to most of you, but it confuses me right now.

  Here's my situation:

  home - internet - ASA 5510 users - CORP LAN

  We have remote Ipsec VPN and anyconnect VPN, I think that the solution must work on two of them.

  My question is: "how to apply internet traffic user home to the VPN tunnel?

  We have "split tunnel" to only"'interesting traffic' VPN tunnel access LAN CORP.

  but now I need apply all traffic (internet + CORP LAN) user through VPN tunnel passes.

  so far, I did what I know:

  1. remove the "split tunnle" group policy

  2. the address in "remote user VPN address pool" are perhaps NAT/PAT travers ASA5510

  but I don't get why it doesn't work.

  all suggestions are appreciate!

  Thank you!

  A few things to configure:

  (1) Split tunnel policy to be passed under split in tunnelall tunnel

  (2) configure NAT on the external interface to PAT to the same global address.

  (3) configure "allowed same-security-traffic intra-interface" so that the tunnel VPN for Internet traffic can make a u-turn.

  Please share the current configuration if the foregoing still does not solve the problem. Thank you.

• WRVS4400N will not route all traffic on IPsec

  All my remote sites use various routers to route all their traffic via IPsec.  However, I have a WRVS4400N w/firmware configured 2.0.2.1 with a tunnel of work.  My problem is that I need to define the Group of remote 0.0.0.0 0.0.0.0 so all traffic is forced through the IPsec tunnel and not on the local gateway.  When I make the mistake, Remote Security Group and Local security group cannot be in the same network. However, it works with Cisco/Linksys RV042.

  Any ideas?  Attached are the screenshots of each.

  Transmission of wildcard ESP isn't a feature support, therefore not documented in the product documentation. If you need a wifi router that supports this feature, you can see the series Cisco ISR, which is base IOS.

• Port forwarding in vmware workstation 9 (how to transfer all traffic to a virtual machine)

  You are looking for here: Advanced Configuration of NAT

  I can see how to redirect ports via in a particular host vmware NAT service, but my question is how can I transfer ALL traffic to a host? I found no info on how to do that.

  Is there any way I can forward all traffic incoming on a virtual machine?

  The syntax is = : and as such it is singular in all references, so I don't know of a way around it.

• routing of traffic between vpn tunnels

  Hello

  I have a scenario like that.

  There are two branch office vpn tunnels to the headquarters. I want to load balance the traffic on this two links using EIGRP.

  in this way, another branch offic is also connected to the head office. now, I want to ensure the communication between two branch of the office through seat over these vpn tunnels.

  Concerning

  skrao

  Hello

  Here is a great link that describes a similar setup to yours:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  Good reading and after return if there is anything that you are not clear.

  PLS, don't forget to rate messages.

  Paresh

• Try to route all ipsec traffic

  Hello

  Can anyone help me please with config below. I am trying to route all traffic (web browsing) by the router.

  For now I can connect to the vpn and browse the network, but users cannot resolve web pages (page loading without end). If I activate split tunnel web browsing works but not what I'm used to.

  LAN pool 192.168.10.0/24

  local pool 192.168.20.0/24

  I assume it has something with ACL and NAT, but I can't understand that.

  Config is attached.

  Thank you.

  I think your config should work.

  The router which model is it and what version of software you are running?

• Send all traffic through the vpn tunnel

  Does anyone know how to send all traffic through the tunnel vpn on both sides?  I have a server EZVpn on one side and one EZVpn client on the other.  I'm not natting on each side.  I use the value default 'tunnelall' for the attributes of group policy.  On the client side all traffic, even if not intended for the subnet of the side server, seems to pass through the tunnel.  But if I ping the side server, the same rules don't seem to apply.  Traffic destined for rates aside customer through the tunnel, but the traffic that is not pumped on the external interface in the clear.  That's not cool.

  Hello

  Clinet traffic to server through tunnel, that's right, right?

  Traffic from server to client through tunnel, but the rest of the traffic is not, no?

  This works as expected because in ezvpn, politics of "tunnel all ' is for traffic is coming from the client., do not leave the server.

  Side server, customer traffic will pass through tunnel, the rest used.

  Sian

• Default route inside the tunnel VPN Site to site

  We want to carry the default traffic within the site to site VPN tunnel, our goal is to route all traffic including default branch road and HO HO help branch for surfing the internet.

  I have due to difficulties

  1. cannot configure dynamic NAT for the router in the branch on the ASA HO, I know configuration for 8.2, but know not about 8.4

  This is the configuration for the 8.2, if someone can translate to 8.4, which would be a great help

  NAT (outside) 1 192.168.230.0

  2. I do not know how to write the default route on the branch office router to send all traffic within the VPN tunnel

  Hello

  As I understand it then you want to route ALL traffic from the Remote Site to the Central Site and manage Internet traffic there.

  I suppose you could define "interesting traffic" in configuring VPN L2L ACL / access-list in the following way

  Branch router

  extended IP access list

  allow an ip

  ASA central

  ip access list allow one

  The idea behind the type of ACL for the VPN L2L above configurations is that, for example, the branch office router has a rule that sets connection coming from the local LAN for 'any' destination address must be sent to the VPN L2L connection. So, it would be in such a way that all the traffic will be sent to the Central Site via VPN L2L.

  I must say however, that the VPN router configurations side are not more familiar to me because I manage especially with ASA Firewall (and to some extent still PIX and FWSMs)

  I guess that on the ASA Central you will PAT translation to "outside" so that the host can access the Internet?

  You would probably do something like this

  object-group network to REMOTE-SITE-PAT-SOURCE

  network-object

  interface of REMOTE-SITE-PAT-SOURCE dynamic NAT (outside, outside) after auto source

  If you don't want to use the 'outside' IP address, then you will have to create a 'network of object' for address IP of PAT and use it in the line of NAT configuration above instead of "interface".

  Alternate configuration might be

  network of the REMOTE-SITE-PAT object

  subnet

  dynamic NAT interface (outdoors, outdoor)

  You also need to enable

  permit same-security-traffic intra-interface

  To allow traffic to enter and exit the same interface on the ASA

  All these answers are naturally suggestion on what you have to do. I don't know what kind of configurations you have right now.

  Hope this helps in some way

  -Jouni

  Post edited by: Jouni Forss

• RV180 VPN route all internet traffic via IPSec VPN

  Hello

  I install my RV180 to VPN to our headquarters Fortigate 60 C. It works really well

  My only problem is that I don't know how to move internet traffic on our remote site by Headquarters. We want to use this technique so that all sites have the same web content filtering provided by our main Fortigate unit. I see clearly that all traffic destined to our internal network will go trough the VPN tunnel, but internet traffic will go through our modem at the remote site.

  My way of fortigate thinking said that I need a static route to transfer all traffic through the VPN tunnel. I've read elsewhere that I need to set up some sort of ACL.

  Anyone else has any ideas on this / has anyone successfully implemented somehting similar?

  Hi Jared,

  I don't think that RV180 takes complete care of tunneling. Complete tunneling allows you to all your traffic to VPN. RV180 made only split tunneling.

  Thank you

  Vijay

  Sent by Cisco Support technique iPad App

• How to put all through traffic the easy vpn client VPN server

  Hi people

  I want to ask you, how to put all of the server the easy vpn client VPN traffic through.

  I mean, I have a server vpn at home, and if I connect to the vpn from outside server, to be with an IP address of my home.

  There is the configuration up to now. Where is the problem?

  ROUTER1 #sh running-config

  Building configuration...

  Current configuration: 5744 bytes

  !

  ! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska

  !

  version 15.1

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  ROUTER1 hostname

  !

  boot-start-marker

  usbflash0:CVO boot-BOOT Setup. CFG

  boot-end-marker

  !

  !

  !

  AAA new-model

  !

  !

  AAA authentication login ciscocp_vpn_xauth_ml_1 local

  AAA authorization ciscocp_vpn_group_ml_1 LAN

  !

  !

  !

  !

  !

  AAA - the id of the joint session

  !

  Service-module wlan-ap 0 autonomous bootimage

  Crypto pki token removal timeout default 0

  !

  Crypto pki trustpoint TP-self-signed-1604488384

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 1604488384

  revocation checking no

  !

  !

  TP-self-signed-1604488384 crypto pki certificate chain

  certificate self-signed 01

  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 31363034 34383833 6174652D 3834301E 170 3133 30383239 31313539

  32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36303434 65642D

  38383338 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100CD 57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F

  528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C 74 862C 2870 16E29F75

  7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10

  D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5

  4 HAS 250203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

  551 2304 18301680 141B 1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 06 12301

  03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300 D 0609

  2A 864886 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE F70D0101

  FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D D53D9A43 CB400B54 8006

  CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 9EF7251B 19A 75403

  211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F

  E43934FA 3D62EC90 8F37590B 618B0C

  quit smoking

  IP source-route

  !

  !

  !

  !

  CISCO dhcp IP pool

  import all

  network 192.168.1.0 255.255.255.0

  DNS-server 195.34.133.21 212.186.211.21

  default router 192.168.1.1

  !

  !

  IP cef

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209

  !

  !

  username privilege 15 secret 5 cska $1$ $8j6G 2sMHqIxJX8MQU6vpr75gp1

  !

  !

  !

  !

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  Configuration group customer isakmp crypto VPNGR

  vpngroup key

  DNS 212.186.211.21 195.34.133.21

  WINS 8.8.8.8

  domain chello.at

  pool SDM_POOL_1

  ACL 120

  netmask 255.255.255.0

  ISAKMP crypto ciscocp-ike-profile-1 profile

  match of group identity VPNGR

  client authentication list ciscocp_vpn_xauth_ml_1

  ISAKMP authorization list ciscocp_vpn_group_ml_1

  client configuration address respond

  virtual-model 1

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  Profile of crypto ipsec CiscoCP_Profile1

  security association idle time 86400 value

  game of transformation-ESP-3DES-SHA

  set of isakmp - profile ciscocp-ike-profile-1

  !

  !

  Bridge IRB

  !

  !

  !

  !

  interface Loopback0

  192.168.4.1 IP address 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  Multidrop ISDN endpoint

  !

  interface FastEthernet0

  !

  interface FastEthernet1

  !

  interface FastEthernet2

  !

  interface FastEthernet3

  !

  interface FastEthernet4

  !

  interface FastEthernet5

  !

  FastEthernet6 interface

  !

  interface FastEthernet7

  !

  interface FastEthernet8

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  type of interface virtual-Template1 tunnel

  IP unnumbered Loopback0

  ipv4 ipsec tunnel mode

  Tunnel CiscoCP_Profile1 ipsec protection profile

  !

  interface GigabitEthernet0

  Description Internet

  0023.5a03.b6a5 Mac address

  customer_id GigabitEthernet0 dhcp IP address

  NAT outside IP

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  !

  wlan-ap0 interface

  description of the Service interface module to manage the embedded AP

  192.168.9.2 IP address 255.255.255.0

  ARP timeout 0

  !

  interface GigabitEthernet0 Wlan

  Description interface connecting to the AP the switch embedded internal

  !

  interface Vlan1

  no ip address

  Bridge-Group 1

  Bridge-Group 1 covering-disabled people

  !

  interface BVI1

  IP 192.168.1.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  local IP SDM_POOL_1 192.168.4.3 pool 192.168.4.245

  IP forward-Protocol ND

  !

  !

  IP http server

  local IP http authentication

  IP http secure server

  overload of IP nat inside source list 110 interface GigabitEthernet0

  IP nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389

  IP nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389

  IP nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21

  IP nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21

  IP nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390

  IP nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390

  overload of IP nat inside source list 120 interface GigabitEthernet0

  IP route 0.0.0.0 0.0.0.0 dhcp

  !

  exploitation forest esm config

  access list 101 ip allow a whole

  access-list 110 permit ip 192.168.1.0 0.0.0.255 any

  access list 111 permit tcp any any eq 3389

  access-list 120 allow ip 192.168.4.0 0.0.0.255 any

  !

  !

  !

  !

  !

  !

  !

  control plan

  !

  Bridge Protocol ieee 1

  1 channel ip bridge

  !

  Line con 0

  line 2

  no activation-character

  No exec

  preferred no transport

  transport of entry all

  transport output pad rlogin udptn ssh telnet

  line to 0

  line vty 0 4

  privilege level 15

  preferred transport ssh

  entry ssh transport

  transportation out all

  !

  Thanks in advance

  To do this you must make the following changes:

  (1) disable split Tunneling by deleting the ACL of your configuration of the client group.
  (2) enable NAT for VPN traffic by adding 'ip nat inside' to your virtual model of the client network to the ACL that controls your PAT.

  Edit: Theses are the changes to your config (also with a little cleaning):

  Configuration group customer isakmp crypto VPNGR

  No 120 LCD

  !

  type of interface virtual-Template1 tunnel

  IP nat inside

  !

  no nat ip inside the source list 120 interface GigabitEthernet0 overload

  !

  access-list 110 permit ip 192.168.4.0 0.0.0.255 any

  no access-list 120 allow ip 192.168.4.0 0.0.0.255 any

  Sent by Cisco Support technique iPad App