Internet on Dot11Radio, VPN on Vlan - Internet not working - Page 2

OliverDarvall · ‎04-04-2013

I have a Cisco 857W router that I would like to setup as follows:

- All wireless clients should have internet access only

- All wired clients should have VPN access only

The wired/VPN side of things is working fine. A wired client can access the VPN and all seems to work.

My problem is on the wireless side. Wireless clients connect successfully and receive a DHCP address. Name resolution also seems to work as I can ping www.google.com (for instance) and it resolves to an IP address. That though is were things stop and no internet browsing work further on.

Please have a look if you spot the (I think obvious) problem ....

"show ip nat trans" does show translations:

start#sho ip nat trans

Pro Inside global Inside local Outside local Outside global

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16384 17.173.254.222:16

384

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16385 17.173.254.222:16

385

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.223:16386 17.173.254.223:16

386

tcp 196.209.34.158:51901 10.0.0.21:51901 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51902 10.0.0.21:51902 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51903 10.0.0.21:51903 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51904 10.0.0.21:51904 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51905 10.0.0.21:51905 173.194.41.69:443 173.194.41.69:443

tcp 196.209.34.158:51906 10.0.0.21:51906 173.194.34.178:443 173.194.34.178:443

Also my route table looks ok (to me):

start#sho ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 196.209.34.1 to network 0.0.0.0

196.209.34.0/32 is subnetted, 2 subnets

C 196.209.34.1 is directly connected, Dialer0

C 196.209.34.158 is directly connected, Dialer0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, Dot11Radio0

41.0.0.0/32 is subnetted, 1 subnets

S 41.165.4.154 [1/0] via 196.209.34.1

S* 0.0.0.0/0 [1/0] via 196.209.34.1

[1/0] via 0.0.0.0, Virtual-Access2

S 192.168.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2

And my config as attached.

Even if I remove ACL 102 from Dialer0 it still does not work. So I suspect it is not ACL related ...

blau grana · ‎04-05-2013

Try to add to your ACL 102 this line ->

permit tcp any any established

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

OliverDarvall · ‎04-05-2013

I got it working with route-maps. For some or other reason the initial connection to a page is slow, but once it starts loading it goes as normal. I suspect it is a DNS query that times out initially, perhaps going to the wrong destination.

Anyway, I created the following and applied the VPN_MAP to the Vlan1 interface and the INTERNET_MAP to the Dot11Radio0 interface. Everything seems to work so far. I still feel that my initial configuration just missed a magic config entry or two to make it work, but this will suffice .

access-list 103 remark INTERNET_OUT

access-list 103 permit ip 10.0.0.0 0.0.0.255 any

!

access-list 104 remark VPN_IN

access-list 104 permit ip 192.168.0.0 0.0.255.255 192.168.41.0 0.0.0.255

access-list 104 permit ip 40.0.0.0 0.255.255.255 192.168.41.0 0.0.0.255

access-list 104 permit ip 50.0.0.0 0.255.255.255 192.168.41.0 0.0.0.255

!

access-list 105 remark VPN_OUT

access-list 105 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 105 permit ip 192.168.41.0 0.0.0.255 40.0.0.0 0.255.255.255

access-list 105 permit ip 192.168.41.0 0.0.0.255 50.0.0.0 0.255.255.255

!

route-map INTERNET_MAP permit 10

match ip address 103

set interface Dialer0

!

route-map INTERNET_MAP permit 20

set interface Dot11Radio0

!

route-map VPN_MAP permit 10

match ip address 104

set interface Vlan1

!

route-map VPN_MAP permit 20

match ip address 105

set ip next hop 192.168.1.80

!

route-map VPN_MAP permit 30

set interface Null0

OliverDarvall · ‎04-05-2013

I had to make another change as the DHCP on the VLAN stopped working. I guess cause the packets that did not match all those IP addresses were sent to Null0.

The new changes are as below. Although I do not specifically check the 'in' traffic now, there is still no 'cross-talk' from Dot11Radio0 to Vlan1 and so is fine I guess.