Internet on Dot11Radio, VPN on Vlan - Internet not working

OliverDarvall · ‎04-04-2013

I have a Cisco 857W router that I would like to setup as follows:

- All wireless clients should have internet access only

- All wired clients should have VPN access only

The wired/VPN side of things is working fine. A wired client can access the VPN and all seems to work.

My problem is on the wireless side. Wireless clients connect successfully and receive a DHCP address. Name resolution also seems to work as I can ping www.google.com (for instance) and it resolves to an IP address. That though is were things stop and no internet browsing work further on.

Please have a look if you spot the (I think obvious) problem ....

"show ip nat trans" does show translations:

start#sho ip nat trans

Pro Inside global Inside local Outside local Outside global

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16384 17.173.254.222:16

384

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.222:16385 17.173.254.222:16

385

udp 196.209.34.158:16403 10.0.0.21:16403 17.173.254.223:16386 17.173.254.223:16

386

tcp 196.209.34.158:51901 10.0.0.21:51901 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51902 10.0.0.21:51902 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51903 10.0.0.21:51903 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51904 10.0.0.21:51904 173.194.41.80:443 173.194.41.80:443

tcp 196.209.34.158:51905 10.0.0.21:51905 173.194.41.69:443 173.194.41.69:443

tcp 196.209.34.158:51906 10.0.0.21:51906 173.194.34.178:443 173.194.34.178:443

Also my route table looks ok (to me):

start#sho ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 196.209.34.1 to network 0.0.0.0

196.209.34.0/32 is subnetted, 2 subnets

C 196.209.34.1 is directly connected, Dialer0

C 196.209.34.158 is directly connected, Dialer0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, Dot11Radio0

41.0.0.0/32 is subnetted, 1 subnets

S 41.165.4.154 [1/0] via 196.209.34.1

S* 0.0.0.0/0 [1/0] via 196.209.34.1

[1/0] via 0.0.0.0, Virtual-Access2

S 192.168.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2

And my config as attached.

Even if I remove ACL 102 from Dialer0 it still does not work. So I suspect it is not ACL related ...

blau grana · ‎04-04-2013

Hello Oliver,

Can you confirm that you can reach internet?

#ping 8.8.8.8

Verify that DNS work:

#ping www.google.com

Try to replace dns 10.0.0.2 from DHCP configuration to google DNS 8.8.8.8

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

OliverDarvall · ‎04-04-2013

From Router:

Pinging any website resolves to an IP address. Also I can ping 8.8.8.8. So my internet is working.

From Wireless PC:

Pingning also resolves to an IP and I can ping 8.8.8.8. However, I can not browse the internet.

blau grana · ‎04-05-2013

It will be probably problem with MTU.

Try this test from your router:

podhorany-024#ping

Protocol [ip]:

Target IP address: 8.8.8.8

Repeat count [5]: 1

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: y

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]: v

Loose, Strict, Record, Timestamp, Verbose[V]:

Sweep range of sizes [n]: y

Sweep min size [36]: 1400

Sweep max size [18024]: 1500

Sweep interval [1]:

What was the last successful packet size?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

OliverDarvall · ‎04-05-2013

Last successfull size was 1492.

For what it was worth I dropped the MTU to 1452 and the MSS to 1412, made no difference unfortunately.

This one has me stumped now. Everything looks and seems right, I just can browse the net.

OliverDarvall · ‎04-05-2013

Now it is getting interesting. I tried to browse to www.microsoft.com, which failed, but then my browser converted it into a search and google actually returned search results for microsoft.com.

I then tested a few other sites. I can access google.com and test.com, but almost no other sites. My Win7 pc suddenly showed that it has an internet connection for about two minutes, then it disappear again and is now a Local only connection again.

Weird ...

paul driver · ‎04-05-2013

Hello

Try:

Saving your config and reload the router

Turning off the sotware FW of the pc ?

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

OliverDarvall · ‎04-05-2013

As another test I removed the outside crypto from the Dialer0 interface and the browsing started working immediately. So it seems that when the VPN is up that perhaps the internet traffic gets sent over the VPN link as well (sometimes). But I have split tunneling, or is there perhaps a problem with that config on ACL 100 ?

cadet alain · ‎04-05-2013

Hi,

can you post your entire config along with the details.

Regards

Alain

Don't forget to rate helpful posts.

blau grana · ‎04-05-2013

Can you also verify MTU size from LAN (wireless PC).

- did you try another PC, maybe problem will be with PC.

- try connect your PC/Laptop instead of cisco router if there will be still problem

I am not sure what else you can try.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

cadet alain · ‎04-05-2013

Hi,

you should set your MTU to 1492 and your MSS to 1452.

Regards

Alain

Don't forget to rate helpful posts.

OliverDarvall · ‎04-05-2013

I reverted the MTU 1492 and MSS 1452 and it made no difference.

Here is my crypto :

crypto ipsec client ezvpn VPN

connect auto

group (details)

mode network-extension

peer (details)

acl 100

virtual-interface 1

username (details)

xauth userid mode local

OliverDarvall · ‎04-05-2013

And my whole config :

!

version 12.4

no service pad

service timestamps debug datetime

service timestamps log datetime

no service password-encryption

!

hostname start

!

boot-start-marker

boot-end-marker

!

logging buffered 65535

!

no aaa new-model

clock timezone ZAT 2

!

no dot11 syslog

!

dot11 ssid START

authentication open

guest-mode

!

ip dhcp excluded-address 192.168.41.1 192.168.41.19

ip dhcp excluded-address 10.0.0.1 10.0.0.19

!

ip dhcp pool SMS_VPN_Pool

network 192.168.41.0 255.255.255.0

domain-name (details)

dns-server 192.168.1.200 192.168.1.201

option 150 ip 192.168.1.15

default-router 192.168.41.1

!

ip dhcp pool SMS_IP_Pool

network 10.0.0.0 255.255.255.0

dns-server 10.0.0.2

default-router 10.0.0.2

!

ip cef

ip ddns update method SMS_DynDNS

HTTP

add (details)/nic/update?hostname=&myip=

interval maximum 0 0 15 0

!

username (details)

!

crypto isakmp key (details)

crypto isakmp invalid-spi-recovery

!

crypto ipsec client ezvpn SMS_VPN

connect auto

group (details)

mode network-extension

peer (details)

acl 100

virtual-interface 1

username (details)

xauth userid mode local

!

archive

log config

hidekeys

!

no ip ftp passive

ip ftp source-interface Vlan1

ip tftp source-interface Vlan1

!

ip tcp path-mtu-discovery

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/35

oam-pvc 0

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

no ip address

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

!

interface Dot11Radio0

ip address 10.0.0.2 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

ip tcp adjust-mss 1452

!

encryption key 1 size 40bit 0 (details) transmit-key

encryption mode wep mandatory

!

ssid START

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

world-mode dot11d country ZA indoor

!

interface Vlan1

ip address 192.168.41.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1452

crypto ipsec client ezvpn SMS_VPN inside

!

interface Dialer0

ip ddns update hostname (details)

ip ddns update SMS_DynDNS

ip address negotiated

ip access-group 101 out

ip access-group 102 in

ip mtu 1492

ip nat outside

ip nat enable

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

ppp (details)

ppp ipcp dns request accept

ppp ipcp route default

crypto ipsec client ezvpn SMS_VPN

!

no ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

!

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

access-list 100 remark CCP_ACL Category=16

access-list 100 permit ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255

!

access-list 101 remark DSL OUT

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip any any

!

access-list 102 remark DSL IN

access-list 102 remark CCP_ACL Category=1

access-list 102 permit esp any any

access-list 102 permit gre any any

access-list 102 permit udp any any eq isakmp

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq 10000

access-list 102 permit tcp any any eq 10000

access-list 102 permit icmp host 196.25.1.1 any

access-list 102 permit udp any eq domain any

access-list 102 permit tcp any eq domain any

access-list 102 permit tcp any eq www any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any eq ftp-data any

access-list 102 permit tcp any eq ftp any

access-list 102 permit tcp any eq 69 any

access-list 102 permit udp any eq tftp any

access-list 102 permit tcp any eq 443 any

access-list 102 permit tcp any eq telnet any

access-list 102 permit tcp any any eq telnet

access-list 102 permit udp any eq ntp any eq ntp

access-list 102 permit tcp any range 11000 11025 any

access-list 102 permit tcp any any eq 8000

access-list 102 deny ip any any log

!

access-list 103 remark VLAN IN

access-list 103 remark CCP_ACL Category=1

access-list 103 deny ip any 10.0.0.0 0.0.0.255

access-list 103 deny ip 10.0.0.0 0.0.0.255 any

access-list 103 permit ip any any

!

access-list 104 remark VLAN OUT

access-list 104 remark CCP_ACL Category=1

access-list 104 deny ip any 10.0.0.0 0.0.0.255

access-list 104 deny ip 10.0.0.0 0.0.0.255 any

access-list 104 permit ip any any

!

dialer-list 1 protocol ip permit

!

no cdp run

!

control-plane

!

line con 0

exec-timeout 0 0

no modem enable

length 50

speed 115200

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

sntp server 196.25.1.1

end

blau grana · ‎04-05-2013

Delete ip nat enable from both Dialer and Dot11Radio0 interfaces.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

OliverDarvall · ‎04-05-2013

I removed "ip nat enable", but made no difference.

Would a route map perhaps help here ?