How to create a U-Turn on a Cisco IOS Router for a Cisco VPN Client

Today I faced the problem to create a U-Turn on a IOS router for Cisco VPN Clients.
The Red line is the internet traffic which is going to be used over the Cisco VPN client and the blue line is the normal internal LAN traffic.

Well no I know how to do it and it seems pretty easy to do. But if you struggle with the configuration and you doesn’t know. Here a sample configuration how to create a U-Turn config.
Basic Cisco VPN Client configuration
aaa authentication login CVPN local
!
crypto logging session
crypto logging ezvpn
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group <GROUPNAME>
key <Pre-Shared-Key>
dns <Internal DNS Server>
domain <domainname>
pool ILP_CVPN
save-password (optional)
crypto isakmp profile CIP_CVPN_<Company_name>
match identity group <GROUPNAME>
client authentication list CVPN
isakmp authorization list CVPN
client configuration address respond
!
crypto ipsec transform-set CIT_CVPN esp-3des esp-sha-hmac
!
crypto dynamic-map CDM_CVPN 10
set transform-set CIT_CVPN
set isakmp-profile CIP_CVPN_<Company_name>
reverse-route
!
!
crypto map CMP_CVPN 65535 ipsec-isakmp dynamic CDM_CVPN
Create a new Loopback address:
interface Loopback20
ip address 10.2.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
Place on the WAN interface the Crypto map
interface GigabitEthernet0/1
crypto map CMP_CVPN
ip local pool ILP_CVPN 192.168.254.100 192.168.254.200
ip route 192.168.254.0 255.255.255.0 <Gateway interface> permanent
ip nat inside source route-map RMP_GE01_OVERLOAD interface GigabitEthernet0/1 overload
ip access-list extended ACL_GE01_OVERLOAD
remark IPSec Rule
permit ip 192.168.254.0 0.0.0.255 any
route-map RMP_GE01_OVERLOAD permit 10
match ip address ACL_GE01_OVERLOAD
What you need to do is to enable the U-turn action in the Router for this traffic to be NATed. Based on the configuration, these are the commands you will need to enter:
Add a new Access-List
ip access-list extended VPN-NAT-list
permit ip 192.168.254.0 0.0.0.255 any
Add a new Route-Map
route-map VPN-NAT permit 10
match address VPN-NAT-list
set ip next-hop 10.2.0.2
Place on the WAN interface a Policy map
interface GigabitEthernet0/1
ip policy route-map VPN-NAT
Now you have to test your Cisco VPN Client. ( Check before you do this test http://www.myipaddress.com or likeable to see what your own external IP address is ). After you connected with the Cisco VPN client you have to do the same check again. To see that the IP has changed into the external IP address of the office you connect to.

12 thoughts on “How to create a U-Turn on a Cisco IOS Router for a Cisco VPN Client”

    1. Yes, it’s possible to make a VPN connection from inside. Sometimes I use it for testing purposes. To see if my crypto map is correct. How ever to test traffic you have to use a different area that’s not in the same network as your internal LAN.
      However it’s not useful to do it as you connect to your own network I guess, if you want to use it for production operations.

    1. VPN Client has an IP in the range 192.168.254.x in my setup.
      The outbound IP address of the connected device could be like 10.0.1.x
      The inside IP address is not really used only the DNS for the lookup for websites etc.
      My picture is indeed not complete with IP addresses. How ever I put in my sample configuration the where you could place your own subnet.

    1. Tim, what i just saw is that you added the a ip policy routemap on the wrong interface
      interface ATM0.1 point-to-point
      ip policy route-map VPN-Client
      this shouldn’t be on the ATM0.1 just on the Dialer interface
      just give it a try..

  1. What is the purpose of the Route map to change next-hop to a non-existant gateway? Does that allow you to source the packet as if it was coming inbound on the Loopback interface and thus it qualified for outbound NAT?

    1. It’s for the packet that shouldn’t be filters by the NAT rule if it’s going to a VPN interface.
      The client uses the vpn device as their default gateway so they access always via the same interface to outside as the users which are working internally in the office.

  2. Awesome tutorial! I’ve been working to setup something like this for a while.
    I am just trying to figure out the static route, what do you mean by ? is it the WAN? is it the Loopback? The inside Interface?
    Thanks!

    1. the loopback address is not the WAN interface. You use the loopback interface to re-route the data from and to the client which is coming from the internet.
      Normally you put the policy on the internal interface only. But in the case you set it on the wan interface and you don’t do split tunneling for the clients ( like in this blog post ). this is why you use the extra loopback interface.
      I hope this clears up your question. If not just ask me more.

  3. hi, what is the gateway interface for ip route? its not clear from where you get 192.168.254.0 network, is it different interface?

    1. That will be the firewall. it process all traffic through the firewall/router on the main site. if you need to access certain netwerks then you need to change the nat rules on your device.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.