I. Overview:
In many cases, in order to be safe, to avoid dialing into the company intranet and the Internet at the same time, the EZVPN server did not configure the tunnel separation. But what if you want to do this and the device at the headquarters side doesn't have permission to modify? The following are described in the EZVPN hardware client and software client respectively.
Test topology reference: http://333234.blog.51cto.com/323234/1202965.
In fact, the EZVPN client solution is similar to the above, but the Ezvpn software client does not test successfully by removing the default route, PPTP VPN and L2TP IpSEC VPN are feasible.
Two. Ezvpn Hardware client Solution:
A. Analysis of the reasons for not directly on the public network:
In general, to ensure access to the Internet when there is no VPN dial-in to the headquarters, the EZVPN hardware client should be configured with NAT, and the VPN connection cannot be on the public network because traffic is entered from the configured crypto IPSec client Ezvpn Ezvpn inside port. It is also encrypted by VPN when configured with the crypto IPSec client Ezvpn Ezvpn outside out. These two conditions need to be satisfied at the same time, otherwise they will not be encrypted by VPN. This in fact and traffic only from the IP NAT inside port entry, but also from the IP Nat outide port will be similar to NAT.
So the solution is:
① first Configure a loopback port, configure IP, and configure IP NAT inside.
② in Ezvpn client intranet interface settings Route-map, in addition to access to the Headquarters intranet traffic, other traffic are hit to the loopback port.
③ the LOOPB port is configured with only IP NAT inside and is not configured for crypto IPSec client Ezvpn Ezvpn, and is therefore not encrypted by VPN.
B. Configuration method:
①branch has configured the dynamic Pat
Interface ethernet0/0
IP nat Inside
Interface ETHERNET0/1
IP Nat Outside
IP Access-list Extended Pat
Permit IP any
IP NAT inside source list Pat interface ETHERNET0/1 overload