09-20-2012 05:46 AM - edited 03-04-2019 05:37 PM
I have dsl connection from TE-data from 3com modem in 2 sites. and I have 2 cisco routers 1921 and there is a vpn site to site between them and
the VPN connection is working good. and i configured PAT on one of them to allow the users access the internet but tere is a problem:
all users can ping any public ip
all users can ping any URL
but there is no browsing of the internet
and this is the configuration
NOZHA#sh run
Building configuration...
Current configuration : 2425 bytes
!
! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NOZHA
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool 1
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 4.2.2.2 8.8.8.8
lease infinite
!
!
ip domain name shady2012
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1432C5KM
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key shady2012 address 81.10.xxx.yy
!
!
crypto ipsec transform-set shady2012 esp-aes esp-sha-hmac
!
crypto map s2s-VPN 150 ipsec-isakmp
set peer 81.10.xxx.yy
set pfs group2
match address s2s-vpn-obour
!
!
!
!
!
interface GigabitEthernet0/0
mtu 1000
ip address 41.41.xx.yy 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map s2s-VPN
!
!
interface GigabitEthernet0/1
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway (41.41.xx.yy)next hop
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source list mypool interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 41.41.xx.yy
ip route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
ip route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
!
ip access-list extended mypool
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
ip access-list extended s2s-vpn-obour
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password
login
!
scheduler allocate 20000 1000
end
if any one have answer please reply ASAP.
09-20-2012 06:56 AM
Duplicate. Answered in other post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide