Professional Documents
Culture Documents
Configuration Example
Document ID: 71462
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Troubleshooting Commands
Sample debug Output
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
This document provides a sample configuration for how to allow VPN users access to the Internet while
connected via an IPsec LAN−to−LAN (L2L) tunnel to another router. This configuration is achieved when
you enable split tunneling. Split tunneling allows the VPN users to access corporate resources via the IPsec
tunnel while still permitting access to the Internet.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on a Cisco 3640 Router with Cisco IOS® Software Release 12.4.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.
Network Diagram
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are
RFC 1918 addresses which have been used in a lab environment.
Configurations
This document uses these configurations:
• Router A
• Router B
Router A
RouterA#show running−config
Building configuration...
!−−− Specify the pre−shared key and the remote peer address
!−−− to match for the L2L tunnel.
interface Serial2/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap
!
ip http server
no ip http secure−server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
Router B
RouterB#show running−config
Building configuration...
!−−− Specify the pre−shared key and the remote peer address
!−−− to match for the L2L tunnel.
!
crypto map mymap 10 ipsec−isakmp
set peer 172.16.1.1
set transform−set myset
match address 100
!
!
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet1
ip address 10.0.0.2 255.255.255.0
crypto map mymap
!
interface Serial0
no ip address
shutdown
no fair−queue
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
Verify
This section provides information you can use to confirm your configuration is working properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
• show crypto ipsec saShows the settings used by current Security Associations (SAs).
interface: Serial2/0
Crypto map tag: mymap, local addr 172.16.1.1
inbound ah sas:
outbound ah sas:
Troubleshoot
This section provides information you can use to troubleshoot your configuration. Sample debug output is
also shown.
Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
All contents are Copyright © 2006−2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.