10-12-2007 12:46 PM - edited 03-09-2019 07:00 PM
I have an 837 (12.4) connected to a DSL provider. The assigned IP address is dynamic. I can access to the router and network behind 837 with the VPN client. While connected with the VPN can not view public hosts (browse the web). From what I can tell, my issue has to do with NAT. My assigned VPN address does not get overloaded with the inside addresses. Any suggestions on how gain internet access while connected with the VPN client. I am not interested in split tunneling.
gwrtr#show running-config
version 12.4
hostname gwrtr
!
boot-start-marker
boot-end-marker
!
logging buffered 12000 debugging
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthorization local
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.31.255.250 172.31.255.254
!
ip dhcp pool primaryippool
network 172.31.255.240 255.255.255.240
default-router 172.31.255.254
dns-server x.x.x.201 x.x.x.201 x.x.x.1
!
!
ip cef
ip domain name xxxxxx.com
ip name-server x.x.x.201
ip name-server x.x.x.201
!
username xxxxxx password 0 xxxxx
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxx
dns x.x.x.201 x.x.x.201
pool remoteippool
crypto isakmp profile VPNclient
description VPN Client Profile
match identity group xxxxxx
client authentication list clientauth
isakmp authorization list groupauthorization
client configuration address respond
!
!
crypto ipsec transform-set sha3des esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set sha3des
set isakmp-profile VPNclient
!
!
crypto map VPN 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 172.31.255.254 255.255.255.240
ip access-group eth0in in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
mtu 1300
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip access-group 111 in
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect fwinout out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxx password 0 xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN
!
ip local pool remoteippool 172.31.255.236 172.31.255.239
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source route-map publicpat interface Dialer1 overload
!
!
ip access-list extended eth0in
permit ip 172.31.255.240 0.0.0.15 any
permit ip 172.31.255.232 0.0.0.7 any
permit ip host 0.0.0.0 host 255.255.255.255
deny ip any any log
access-list 102 deny ip 172.31.255.240 0.0.0.15 172.31.255.236 0.0.0.3
access-list 102 deny ip 172.31.255.232 0.0.0.7 172.31.255.240 0.0.0.15
access-list 102 deny ip 172.31.255.236 0.0.0.3 172.31.255.240 0.0.0.15
access-list 102 permit ip 172.31.255.240 0.0.0.15 any
access-list 102 permit ip 172.31.255.236 0.0.0.3 any
access-list 102 permit ip 172.31.255.232 0.0.0.7 any
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit udp any any eq isakmp
access-list 111 permit esp any any
access-list 111 permit udp any any eq ntp
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
access-list 172 permit ip 172.31.255.236 0.0.0.3 any
dialer-list 1 protocol ip permit
no cdp run
route-map publicpat permit 10
match ip address 102
!
end
Thanks
10-16-2007 05:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide