topic issue with vpn and internet in Network Security

issue with vpn and internet

Sirajhussain — Tue, 12 Mar 2019 00:31:18 GMT

Cisco CISCO2911/K9

IOS: Version 15.0(1r)M15

Inventory:

1 DSL controller

3 Gigabit Ethernet interfaces

1 ATM interface

2 Virtual Private Network (VPN) Modules

1 cisco ISM Crypto Engine(s)

Its a simple configuration of a branch router connecting HO with VPN and the internet for the branch machines.

Problem:

Both internet and vpn stops working after 10 seconds after enabling VPN on dialer interface: crypto map VPN

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

pppoe-client dial-pool-number 1

interface Ethernet0/1/0

no ip address

shutdown

interface Dialer1

ip address negotiated

ip nat outside

ip nat enable

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication pap chap callin optional

ppp chap hostname XXXXXXXX

ppp chap password 7 XXXXXXXXXXXX

crypto map VPN (Both internet and VPN stop working in 10 sec after configuring this)

What could be done differently to fix this issue?

issue with vpn and internet

cadet alain — Mon, 03 Dec 2012 08:51:15 GMT

Hi,

post output of sh ip int br, sh crypto map, sh access-list, sh ip route and sh run | s nat

Regards.

Alain

Don't forget to rate helpful posts.

issue with vpn and internet

Sirajhussain — Mon, 03 Dec 2012 11:26:04 GMT

Hi Alain,

show ip int bri and sh run | s nat - will provide u later, meanwhile check this:

------------------ show ip nat translations ------------------

Pro Inside global Inside local Outside local Outside global

icmp 178.152.18.136:1 10.17.1.45:1 8.8.8.8:1 8.8.8.8:1

tcp 178.152.18.136:21291 10.17.1.45:21291 75.126.159.157:80 75.126.159.157:80

udp 178.152.18.136:52352 10.17.1.45:52352 8.8.8.8:53 8.8.8.8:53

udp 178.152.18.136:55794 10.17.1.45:55794 8.8.8.8:53 8.8.8.8:53

udp 178.152.18.136:58987 10.17.1.45:58987 8.8.8.8:53 8.8.8.8:53

udp 178.152.18.136:62341 10.17.1.45:62341 8.8.8.8:53 8.8.8.8:53

udp 178.152.18.136:64921 10.17.1.45:64921 8.8.8.8:53 8.8.8.8:53

------------------ show crypto map ------------------

Crypto Map IPv4 "VPN" 10 ipsec-isakmp

Peer = 78.100.40.130

Extended IP access list 101

access-list 101 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255

Current peer: 78.100.40.130

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

ASA-SET: { esp-3des esp-md5-hmac } ,

}

Interfaces using crypto map VPN:

Dialer1

------------------ show access-list ------------------

Extended IP access list 101

10 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (193 matches)

Extended IP access list 102

10 permit tcp 10.150.1.0 0.0.0.255 any eq pop3

20 permit tcp 10.150.1.0 0.0.0.255 any eq smtp

30 permit ip host 10.150.1.23 any

40 permit ip host 10.150.1.24 any

50 permit ip host 10.150.1.25 any

60 permit ip host 10.150.1.26 any

70 permit ip host 10.150.1.45 any

80 deny tcp 10.150.1.0 0.0.0.255 any eq www

90 permit ip any any (2625 matches)

Extended IP access list 110

10 deny ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (797 matches)

20 permit ip any any (362 matches)

------------------ show crypto isakmp sa ------------------

IPv4 Crypto ISAKMP SA

dst src state conn-id status

78.100.40.130 178.152.18.136 MM_NO_STATE 0 ACTIVE

78.100.40.130 178.152.18.136 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

------------------ show ip route ------------------

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.17.1.0/24 is directly connected, GigabitEthernet0/0

L 10.17.1.254/32 is directly connected, GigabitEthernet0/0

178.152.0.0/32 is subnetted, 2 subnets

C 178.152.16.1 is directly connected, Dialer1

C 178.152.18.136 is directly connected, Dialer1

issue with vpn and internet

cadet alain — Mon, 03 Dec 2012 13:03:15 GMT

Hi,

Is ACL 110 the NAT ACL ? if so can you remove line 20 and replace it :

ip access-list extended 110

no 20

20 permit ip 10.17.0.0 0.0.255.255 any

Waiting for feedback.

Regards.

Alain

Don't forget to rate helpful posts.

issue with vpn and internet

Sirajhussain — Mon, 03 Dec 2012 15:45:58 GMT

Dear Alain,

Thanks for your feedback however the issue is been fixed after degrading the Cisco IOS without doing any configuration change.

It is working with version 15.1.4M4 (MD)

Thanks once again for your time and support...!!

Regards,

Siraj