Solved: Internet access on LAN within VPN Setup

amh4y0001 · ‎09-10-2015

Hello All,

I have created a Site to Site VPN in LAB and everything is fine at the moment.

For VPN, I have following access list:

access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

-----------------------------------------------------------------------------------------------------------------------------------

Now want to enable internet on Router LAN (vLan 1) which is connected to LAN switch, found following information in this forum before but couldn't make it work + VPN setup was disturbed and I wasn't able to PING either.

int vlan 1
ip nat inside
----------------------------------------

int F4 <-- this connects to ISP
ip nat outside
exit

-------------------------------------------------
Conf t <--- Global Configuration Mode
access-list 102 deny ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 101 interface F4 overload

-----------------------------------------------------------------------

Richard Bradfield · ‎09-15-2015

VPN Setup: access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

Above statement instructs Router to allow traffic from SiteA to SiteB. <YES

What does following commands do then?

1: access-list 102 deny ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255 > THis is for the NAT you dont want NAT to take place for this
2: access-list 102 permit ip 172.16.10.0 0.0.0.255 any > you want to allow NAT for the Internet access
3: ip nat inside source route-map nat interface F4 overload > This is required for NAT to work
route-map nat permit 10 >
match ip address 102 > matches the traffic you want to NAT

regards

Richard

View solution in original post

Richard Bradfield · ‎09-10-2015

Have you got your routing setup?

need to set default route out of F4

then use route map

route-map nat permit 10
match ip address 102

then

ip nat inside source route-map nat interface F4 overload

HTH

Richard

amh4y0001 · ‎09-11-2015

Hello and thanks for reply.

I still have issues, when performing the NAT or Routing setup, VPN configurations did not worked any more and I can not ping the Site B from Site A.

To get complete picture what is going on please have a look on (1) VPN setup alone and (2) VPN setup with NAT configuration.

Note: On Site A, Server1 (192.168.10.10) , I am able to surf the internet but not on the LAN clients, even checked with IP address (if it was DNS problem) and did not helped either.
On the server, where I have internet connectivity, VPN configuration is compromised.

Could you please have a look on attached configurations and see if something is strange in configuration & setup ?

Richard Bradfield · ‎09-11-2015

looks ok except always needed the no-xauth on the crypto isakmp command, I don't know if you still do.

"crypto isakmp key Cisco address xx.xy.xz.166 no-xauth

on the NAT config

do a

"no ip nat inside source list 101 interface FastEthernet4 overload"

HTH

Richard

amh4y0001 · ‎09-13-2015

Hello and thanks for reply.

1. I dont have no-xauth currently on my VPN setup, will do this.

"no ip nat inside source list 101 interface FastEthernet4 overload"

2. Shall I do this on FastEther4 or on global configuration mode?

Richard Bradfield · ‎09-13-2015

"no ip nat inside source list 101 interface FastEthernet4 overload"

is a global command

amh4y0001 · ‎09-14-2015

Hello again and thanks for reply.

1. crypto isakmp key Cisco address xx.xy.xz.166 no-xauth

2. no ip nat inside source list 101 interface FastEthernet4 overload

This has configured as well, but cant see on the Show Running. Also, there is no network connectivity or link when I connected a client to the Switch, internet connectivity. Seems like traffic has been blocked.

Attach is the Show running configurations.

Richard Bradfield · ‎09-14-2015

Hi,

I can't see these commands in the config

route-map nat permit 10
match ip address 102

ip nat inside source route-map nat interface F4 overload

you need some NAT statement as above to get to the Internet. and allow traffic for the VPN

also for the VPN how far are you detting with the establishment

do a

"debug crypto isakmp" command to see how far you are getting.

HTH

Richard

amh4y0001 · ‎09-14-2015

Thanks again for reply.

I have re-configured the commands to reflect changes you have mentioned.

1. VPN setup OK (before wasn't able to Ping SiteA from SiteB)

2. Internet is available only on the SiteA server machine (192.168.10.10). Connected a client machine on Switch but internet wasn't available.

* DNS forwarding is configured on the SiteA's DNS server* (see attached screenshot).

* * * A screenshot of client machine is also attached.

Richard Bradfield · ‎09-14-2015

Hi,

re clientnic.png no IPV4 default gateway setup, this will be your client problem

amh4y0001 · ‎09-15-2015

Hello and thanks for reply.

Yes it was the DGway, now I have internet on clients, thanks.

I am curious to understand the following commands that I have in my configuration.

VPN Setup: access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

Above statement instructs Router to allow traffic from SiteA to SiteB.

What does following commands do then?

1: access-list 102 deny ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255
2: access-list 102 permit ip 172.16.10.0 0.0.0.255 any
3: ip nat inside source route-map nat interface F4 overload
route-map nat permit 10
match ip address 102

Richard Bradfield · ‎09-15-2015

VPN Setup: access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

Above statement instructs Router to allow traffic from SiteA to SiteB. <YES

What does following commands do then?

1: access-list 102 deny ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255 > THis is for the NAT you dont want NAT to take place for this
2: access-list 102 permit ip 172.16.10.0 0.0.0.255 any > you want to allow NAT for the Internet access
3: ip nat inside source route-map nat interface F4 overload > This is required for NAT to work
route-map nat permit 10 >
match ip address 102 > matches the traffic you want to NAT

regards

Richard

amh4y0001 · ‎09-15-2015

Thanks Richard, You have been really helpful.