I have Remoe client VPN setup on a IOS FW. I want to force users to access the internet via the tunnel (not split tunnel). They connect to via VPN fine and can access the internal LAN but any traffic to the public internet dies at the router. I'm wondering if this is a NAT issue. Can anybody offer a suggestion? below is an partial example config:
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key mypreshare
dns 10.1.1.33
wins 10.1.1.33
domain my.domain
pool IPpool
!
crypto map OutboundMap client authentication list userauthen
crypto map OutboundMap isakmp authorization list groupauthor
crypto map OutboundMap client configuration address respond
!
crypto map OutboundMap 80 ipsec-isakmp dynamic vpndynmap
!
interface Serial0/0
description T1
bandwidth 1024
no ip address
no ip redirects
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description FULL T1
ip address 61.48.11.70 255.255.255.252
no ip route-cache
no ip mroute-cache
no arp frame-relay
no cdp enable
frame-relay interface-dlci 100
crypto map OutboundMap
!
interface FastEthernet0/1
encapsulation dot1Q 2
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip route-cache
no ip mroute-cache
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 61.48.11.71
ip local pool IPpool 192.168.254.1 192.168.254.254
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key mypreshare
dns 10.1.1.33
wins 10.1.1.33
domain my.domain
pool IPpool
!
crypto map OutboundMap client authentication list userauthen
crypto map OutboundMap isakmp authorization list groupauthor
crypto map OutboundMap client configuration address respond
!
crypto map OutboundMap 80 ipsec-isakmp dynamic vpndynmap
!
interface Serial0/0
description T1
bandwidth 1024
no ip address
no ip redirects
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description FULL T1
ip address 61.48.11.70 255.255.255.252
no ip route-cache
no ip mroute-cache
no arp frame-relay
no cdp enable
frame-relay interface-dlci 100
crypto map OutboundMap
!
interface FastEthernet0/1
encapsulation dot1Q 2
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip route-cache
no ip mroute-cache
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 61.48.11.71
ip local pool IPpool 192.168.254.1 192.168.254.254