EzVPN in NEM + ACS

Hi!
I am about to setup a couple of branch office sites connected to the corporate network thru Easy VPN Remote Access. I will be using a PIX501 at the VPN client side and a VPN3030 Concentrator at server side.
My question is, can I use our Cisco Secure RADIUS server to setup GROUPS or am I bound to use groups internally configured in the Concentrator?
Theoretically I belive I can but I lack the "Allow Network Extension"-check box when configuring groups in ACS so I´m not sure.
The ACS SW version is v 3.0.
Thanx in advance.

Appearantly the attribute has been lost sometime during the compilation of the ACS.
I recieved this answer from Pete Davis in an "Ask the expert" thread in another forum here on Cisco:
psd - CISCO SYSTEMS
Jan 20, 2004, 12:12pm PST
Unfortunately this attribute seems to have been missed while compiling the list of available attributes. My suggestion would be to open up a TAC case so that a bug can filed against Cisco Secure ACS. Engineering can then work with your TAC engineer to help provide you with a fix.

Similar Messages

  • ASA 5505 + EZVPN Client

    Good day all,
    this is my network setup in one of our branch office.
    LAN ---- inside(​192.168.44.1) ASA outside(10.103.1.159) ---- ISP
    The ISP is doing NAT and give us a IP via DHCP (PPPoE dial-in).
    Now we want to set up the branch ASA to act as EZVPN client. 
    But when I add the config for example this one:
    vpnclient server xxx.xxx.xxx.xxx
    vpnclient mode network-extension-mode
    vpnclient nem-st-autoconnect
    vpnclient vpngroup eznemgroup password eznemgrouppass 
    vpnclient username eznemuser1 password eznemuser1pass
    vpnclient enable
    We loss Internet connectivity after the last command << vpnclient enable >>.
    Problem is that we can only configure the ASA remotely. 
    Is this a normal behaviour for VPN client setup? I found nothing in the documentation?
    Thanks for your feedback!
    Brgds,
    Markus 

    Hi Guys,
    still struggling with the EZVPN setup.
    This is instantaneous setup at the moment.
    LAN ---- inside-(​192.168.44.1) ASA outside-(DHCP private IP) ---- (private IP)-ISP Router-(public IP)
    The ISP blocks UDP/500 and UDP/4500 so there is no way to setup a site-2-site VPN via IPsec.
    So we tried to setup the ASA5505 as EZVPN client and configured to use TCP over IPsec. But without success. I think the problem is the private IP on our outside interface. Has someone face the same problem?
    Thanks Markus

  • ASA 5505 VPN with NEM

    Hi!
    Im having trouble setting up two ASA5505 with EzVPN. One is head and one is client. Without NEM everything works fine. With NEM it connects but cant ping anything or use the split tunnel to access Internet. See attached configs.
    With NEM enabled the Head gives the following error:
    No translation group found for icmp src outside:192.168.10.2 dst inside:192.168.1.201 (type 8, code 0)
    Any ideas ?
    The Public IP addressesa and gateway are changed to 9's in the first three parsts of the address.
    Thanks! /Bjorn

    HEllo,
    Add this command to the head end side.
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    This should fix your issue.
    Rate this post if it helps.
    Cheers,
    Gilbert

  • Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

    crypto ipsec client ezvpn TEST
    connect auto
    group Cisco key cisco123
    mode client
    peer 172.1.1.1
    xauth userid mode interfactive
    interface FastEthernet4
    ip address 10.1.1.1 255.255.255.0
    ip access-group 101 in
    ip nat outside
    crypto ipsec client ezvpn TEST
    Internet Vlan1
    ip address 192.168.1.1 255.255.255.0
    ip access-group 100 out
    ip nat inside
    crypto ipsec client ezvpn TEST inside
    ip route 0.0.0.0. 0.0.0.0 192.168.1.254
    ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
    access-list 100 permit ip any any
    access-list 101 permit ip any any
    access-list 103 permit ip 192.168.1.0 0.0.0.255 any
    route-map EzVPN1 permit 1
    match ip address 103
    These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
    Cisco IOS on 871W is 12.3(8)Y12

    1) Isn't your default route supposed to be pointing towards the external interface?
    ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
    2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
    Have a look at the following (I'm assuming you already have as your config seems to be similar):
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
    For old 6.x code on PIX, have a look at:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
    Regards
    Farrukh

  • IOS EZVPN and VPN 3k using external groups

    Hi folks , i was trying to configure IOS easyvpn with vpn
    concentrator. i am using an external group which is configured on acs
    server.the configuration for ios eazyvpn is
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto ipsec client ezvpn ezvpn_cfg
    connect manual
    group ezvpn key ezvpn
    mode network-extension
    peer x.x.x.x
    interface FastEthernet0/0
    ip address x.x.x.x x.x.x.x
    crypto ipsec client ezvpn ezvpn_cfg inside
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    interface Serial0/0.1 point-to-point
    ip address x.x.x.x x.x.x.x
    frame-relay interface-dlci 100
    crypto ipsec client ezvpn ezvpn_cfg
    I had configured the vpn concentrator with an external group eazyvpn.
    i had configured the acs server with a user eazyvpn password
    eazyvpn.the radius attributes configured for this user are
    [3076\012] CVPN3000-IPSec-Sec-Association
    ESP-3DES-MD5
    [3076\013] CVPN3000-IPSec-Authentication
    RADIUS
    [3076\016] CVPN3000-IPSec-Allow-Passwd-Store
    Allow
    [3076\027] CVPN3000-IPSec-Split-Tunnel-List
    split_tunnel_list
    [3076\030] CVPN3000-IPSec-Tunnel-Type
    Remote-Access
    [3076\031] CVPN3000-IPSec-Mode-Config
    On
    [3076\034] CVPN3000-IPSec-Over-UDP
    On
    [3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
    Only tunnel networks in the list
    [3076\064] CVPN3000-Allow-Network-Extension-Mode
    Yes
    now whenever i try to connect it says phase 2 failed.my quick mode is
    unsuccesfull.
    the error which comes on the router is below
    12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
    at 172.31.9.2
    ezvpn-router#show crypto ipsec client ezvpn
    Easy VPN Remote Phase: 2
    Tunnel name : ezvpn_cfg
    Inside interface list: FastEthernet0/0,
    Outside interface: Serial0/0.1
    Current State: SS_OPEN
    Last Event: SOCKET_READY
    Split Tunnel List: 1
    Address : 10.1.1.0
    Mask : 255.255.255.0
    Protocol : 0x0
    Source Port: 0
    Dest Port : 0
    Logs for the vpn conc. is as
    Group [ezvpn] User [cisco]
    PHASE 1 COMPLETED
    324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
    Group [ezvpn] User [cisco]
    Received remote IP Proxy Subnet data in ID Payload:
    Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
    327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
    Group [ezvpn] User [cisco]
    Received local IP Proxy Subnet data in ID Payload:
    Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
    330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
    Group [ezvpn] User [cisco]
    IKE Remote Peer configured for SA: ESP-3DES-MD5
    331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
    Group [ezvpn] User [cisco]
    Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
    333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
    Group [ezvpn] User [cisco]
    QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
    NOTE: the configuration works fine when i use CLIENT mode. IT fails
    when i change to NEM

    Refer to the document "Configuring the Cisco VPN 3000 Concentrator to a Cisco Router"
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

  • User and group mapping on IPSEC EZVPN.

    Hello,
    I set up an ASA5520 vpn gateway for ezvpn. one ACS4.2 server is used to authenticate the vpn user.
    there are 4 groups in the vpn configuration. each group has different group policy .
    everything is working well.
    now, one more requirement arise:
    the users should be locked in corresponding group, that means, user A belons group A, so, he can only uses group A's profile.
    if he uses group B's profile, the authentication will fail. Even though the group profiles are on same ASA5520,  and the user information is correct in ACS.
    I'd like to solicit you advice on that feature, is there a way to do that?

    If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
    You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
    Ruslan.

  • Cisco ezvpn clinet

                       hi all,
    i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .
    the configurtion is working fine.i am using client mode on the ezvpn client side.
    but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?
    is there any way to do it?
    and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
    thanks
    cyril

    hi jennifer,
    thanks for your reply,
    here the clarification,
    i have my internal network in the server side is 10.10.10.0/24 and the remote side lan is 10.10.11.0/24 and the vpn dhcp pool ip is 10.222.10.0/24 and also using this ezvpn client i am accessing some of my host(192.168.10.0/24) in the Datacenter using MPLS link those traffic also passing from the tunnel.
    right now i created as follows,
    the no-nat list
    no-nat permit 10.10.10.0 255.255.255.0 10.222.10.0 255.255.255.0
    no-nat permit 192.168.10.0 255.255.255.0 10.222.10.0 255.255.255.0
    and in the split tunnel list i mentioned
    access-list RemoteST_splitTunnelAcl standard permit host 10.10.10.12 --- internal lan on ezvpn server side.
    access-list RemoteST_splitTunnelAcl standard permit host 192.168.10.224 -- Datacenter Host connected in Server side Using MPLS.
    allowing only these 2 hosts from the client . for this what i have to change in the NEM mode.

  • ACS 5.3 Default Backup Password

    When doing a backup on any of the ACS 5.x appliances by default the backup is encrypted with PGP. What password is used for that? Is it configurable?

    It is not configurable and that information wasnt made public. However, when you restore it should be able to decrypt it just fine.
    You can try opening a TAC case but when I was in TAC wasnt able to find that key either.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Itunes é legal, mas quando está sincronizando é um lixo, nem isso pq minha lixeira levanta a tampa mais rápido que o itunes!

    itunes é legal, mas quando está sincronizando é um lixo, nem isso porque minha lixeira levanta a tampa mais rápido que o itunes... ¬¬
    Quando você coloca ele pra sincronizar por exempolo com o iphone (qualquer versão), o itunes deixa de ser um player e vira dor de cabeça, além de lento pra sincronizar ele fica travando, dando lag, erros e por ai vai... (onde está a qualidade da apple, acho que foi toda pra outro lugar porque o itunes... aff)
    Uso o itunes a mais de 4 anos e até hoje nunca resolveram esse problema... porque será?
    Bem, eu n sei, mas isso me fez usar outros programas em vez do itunes (ex:iphone pc suite) que é 1.000.000x melhor!!! (sério!)
    Apenas indico itunes para quem não tem produtos apple, porque se ele tiver ele vai saber do que estou falando...
    Então ta ai galera, quem gostou comenta, quem não gostou pode comentar também, e deixe sempre sua opnião.
    Abraço a todos.

    Itunes é uma beleza enquanto você não precisa formatar o computador... se vc precisar recuperar dados, começa seu tormento. Essa Apple devia manter toda sua equipe de desenvolvimento de hardware e demitir todos os responsáveis pelos softwares... muita complicação por nada. Se você tem um ipod, tem mais de um computador e acorda um dia querendo copiar um cd num outro micro que não o original, a hora que vc espeta o ipod no outro itunes, ele começa a apagar todos seus dados ou copia todas suas músicas pro outro computador... meu.. q merda... não é só copiar o que é novo pro Ipod? Inventam muita coisa que só faz o usuário passar raiva.

  • Instalei o itunes 11.0.5.5 e perdi todos TODOS os meus PDF!!! ESTOU FURIOSO MEUS LIVROS DE ESTUDO! TUDO TUDO alguens nem tenho mais em meu computador!

    Perdi todos os meus PDF, o programa fez um backup em cima do meu backup antigo, apagou todos os livros que eu tinha, alguns nem tenho mais, ESTOU FURIOSO! Como pode uma empresa lançar um programa assim, com falhas!!!
    É um absurdo TOTAL! e para piorar agora o programa nem aceita por itens na biblioteca para enviar para o ipad, e quando envia o livro fica sincronizando automatico sem parar e não envia para o ibook, nunca pensei que comprar um produto que era sinalizado como o MELHOR dentre todos os tablets me desse um prejuizo destes! Naão falo em dinheiro mais os conteudos que tinha nele para mim eram insubstituíveis!!! Não compro mais produtos desta empresa!
    Quando o caro sai mais caro ainda!
    Parabéns APPLE!

    Perdi todos os meus PDF, o programa fez um backup em cima do meu backup antigo, apagou todos os livros que eu tinha, alguns nem tenho mais, ESTOU FURIOSO! Como pode uma empresa lançar um programa assim, com falhas!!!
    É um absurdo TOTAL! e para piorar agora o programa nem aceita por itens na biblioteca para enviar para o ipad, e quando envia o livro fica sincronizando automatico sem parar e não envia para o ibook, nunca pensei que comprar um produto que era sinalizado como o MELHOR dentre todos os tablets me desse um prejuizo destes! Naão falo em dinheiro mais os conteudos que tinha nele para mim eram insubstituíveis!!! Não compro mais produtos desta empresa!
    Quando o caro sai mais caro ainda!
    Parabéns APPLE!

  • How to migrate multiple ACS database into one ACS database ?

    Hey All,
    we just purchased several companies and as IT/network department, we need to consolidate all the ACS from the HQ and the purchased company into one ACS,  I read the cisco docs. mentioned, I can export the migration file from the old acs and upload it into the new acs serve.
    but my concern is we have multiple acs server, will the the muliple acs migration files overwrite each other during the upload into the new server.
    thanks

    Raghavender -
    I am not an expert on MySQL migration, but you would look to migrate the database to a local Oracle Database and then move that to your Database Cloud Service.  However, keep in mind that at this time you can only access the Database Cloud Service from outside the Cloud via RESTful Web Services, so you might have to modify the application that accesses the database.  Hope this helps.
    - Rick Greenwald

  • ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

    Hi All
    Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
    Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
    I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
    Thanks
    pato

    Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
    server stuff has recently upgraded the Domain Controllers to 2008r2 and
    turned off the 2003 servers. This didn't make our ACS 4.1.4 really
    happy.I've read now serveral posts regarding issues with ACS and
    Server 2008r2 and hope to find a solution (besides switching to LDAP,
    yukk).Thankspato
    Hi Pato,
    Just check out the below link hope that help.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
    As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
    Hope to Help !!
    Remember to rate the helpful post
    Ganesh.H

  • Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  • Can I obtain access token from ADFS 3.0 based on OAuth ACS-token that I already have?

    Hello!
    I have the following setup: iOS device, ACS/WAAD is IDP and ADFS 3.0 as RP, securing access to WIF web service.
    I want iOS application users to be able to access ADFS-protected web-service.
    I have created some users in WAAD, configured trust between ACS IDP and ADFS RP.
    ADFS is registered in WAAD with AppID = ADFSAppID
    I am doing the following request in order to obtain authorization token for iOS app user from ACS:
    const string issuerName = "[email protected]";
    const string issuerPassword = "Password!23";
    var authContext = new AuthenticationContext("https://login.windows.net/ADFSAppID");
    var uc = new UserCredential(issuerName, issuerPassword);
    var result = authContext.AcquireToken("http://adfs.appdomain.com/adfs/services/trust",
    "ADFSAppID",
    uc);
    _authHeader = result.CreateAuthorizationHeader();
    So, I have a token from ACS in JWT format.
    Now I need to present this token to ADFS in order to obtain a new token that I can use to access the web-service. I am trying the following POST-query:
    https://adfs.appdomain.com/adfs/oauth2/token?grant_type=authorization_code&code={0}&client_id=ADFSAppID&redirect_uri=http://web_service_url
    However, when I try accessing web service with that token, I am getting 403:unauthorized and redirected back to ADFS.
    I have already tries lots of code solutions, such as
    http://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/
    http://www.cloudidentity.com/blog/2013/07/30/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana/
    http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
    But somehow the problem remains: I cannot get such authentication token from ADFS that it is accepted by my webservice as a valid token.
    Can anybody provide any links or code samples of token exchange between ACS and ADFS?

    Yes, it is. I was able to authenticate normally, if I am using ADFS as IdP for WIF RP.
    But when Azure is IdP for ADFS-protected WIF WS, I am unable to get tokens that would be accepted by WIF WS

  • EZVPN public internet split tunnel with dialer interface

    I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
    So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.  
    So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
    Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
    I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
    http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html 
    And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site.  I also have a home server on the network that is reached so I can definitly reach into the network at home which is  the test for the corporate network I am trying to reach.
    Its a cisco 870 router and here is the config
    Router#sh run
    Building configuration...
    Current configuration : 4617 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    enable secret 5 *************************
    enable password *************************
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization exec default local 
    aaa authorization network ciscocp_vpn_group_ml_1 local 
    aaa session-id common
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.1.1
    ip dhcp excluded-address 192.168.1.2
    ip dhcp excluded-address 192.168.1.3
    ip dhcp excluded-address 192.168.1.4
    ip dhcp excluded-address 192.168.1.5
    ip dhcp excluded-address 192.168.1.6
    ip dhcp excluded-address 192.168.1.7
    ip dhcp excluded-address 192.168.1.8
    ip dhcp excluded-address 192.168.1.9
    ip dhcp excluded-address 192.168.1.111
    ip dhcp pool myDhcp
       network 192.168.1.0 255.255.255.0
       dns-server 139.130.4.4 
       default-router 192.168.1.1 
    ip cef
    ip inspect name myfw http
    ip inspect name myfw https
    ip inspect name myfw pop3
    ip inspect name myfw esmtp
    ip inspect name myfw imap
    ip inspect name myfw ssh
    ip inspect name myfw dns
    ip inspect name myfw ftp
    ip inspect name myfw icmp
    ip inspect name myfw h323
    ip inspect name myfw udp
    ip inspect name myfw realaudio
    ip inspect name myfw tftp
    ip inspect name myfw vdolive
    ip inspect name myfw streamworks
    ip inspect name myfw rcmd
    ip inspect name myfw isakmp
    ip inspect name myfw tcp
    ip name-server 139.130.4.4
    username ************************* privilege 15 password 0 *************************
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp client configuration group HomeFull
     key *************************
     dns 8.8.8.8 8.8.8.4
     pool SDM_POOL_1
     include-local-lan
     netmask 255.255.255.0
    crypto isakmp profile ciscocp-ike-profile-1
       match identity group HomeFull
       client authentication list ciscocp_vpn_xauth_ml_1
       isakmp authorization list ciscocp_vpn_group_ml_1
       client configuration address respond
       virtual-template 3
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec profile CiscoCP_Profile1
     set security-association idle-time 1740
     set transform-set ESP-3DES-SHA 
     set isakmp-profile ciscocp-ike-profile-1
    crypto ctcp port 10000 
    archive
     log config
      hidekeys
    interface Loopback10
     ip address 10.0.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    interface ATM0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     no atm ilmi-keepalive
    interface ATM0.1 point-to-point
     description TimsInternet
     ip flow ingress
     ip policy route-map VPN-Client
     pvc 8/35 
      encapsulation aal5mux ppp dialer
      dialer pool-member 3
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Virtual-Template3 type tunnel
     ip unnumbered Dialer3
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile CiscoCP_Profile1
    interface Vlan1
     ip address 192.168.1.1 255.255.255.0
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip inspect myfw in
     ip nat inside
     ip virtual-reassembly
     no ip route-cache cef
     no ip route-cache
     ip tcp adjust-mss 1372
     no ip mroute-cache
     hold-queue 100 out
    interface Dialer0
     no ip address
    interface Dialer3
     ip address negotiated
     ip access-group blockall in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression
     ip policy route-map VPN-Client
     no ip mroute-cache
     dialer pool 3
     dialer-group 1
     no cdp enable
     ppp chap hostname *************************@direct.telstra.net
     ppp chap password 0 *************************
    ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer3
    ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source list 101 interface Dialer3 overload
    ip access-list extended VPN-OUT
     permit ip 10.0.0.0 0.0.0.255 any
    ip access-list extended blockall
     remark CCP_ACL Category=17
     permit udp any any eq non500-isakmp
     permit udp any any eq isakmp
     permit esp any any
     permit ahp any any
     permit tcp any any eq 10000
     deny   ip any any
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    route-map VPN-Client permit 10
     match ip address VPN-OUT
     set ip next-hop 10.0.0.2
    control-plane
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     password cisco
    scheduler max-task-time 5000
    end
    Router#exit
    Connection closed by foreign host.

    Thanks for the response.
    Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client.  The policy route map makes the L10 the next hop and it has NAT.

Maybe you are looking for