Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
0
Helpful
5
Replies

Internet only when vpn is up on cisco 877 router

Ga22at1709
Level 1
Level 1

‎09-13-2011 05:42 AM - edited ‎03-04-2019 01:35 PM

Firstly i hope this is in the right forum.

I have setup a cisco 877 router at our branch office and setup a vpn to our head office which works ok but the internet will only work if the vpn is on.

The vpn drops frequently at the moment so the branch office users are left without internet for a little while depending on how long it takes for the vpn to come back up which can take from a few seconds to a few hours.( another problem entirely).

I am assuming that i need split tunnelling which i thought i had setup but obviusly not.

I have attached the complete config of the router.

Could someone please have a look and see where i have gone wrong.

Many Thanks

Gareth

Labels:
Preview file
9 KB
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎09-13-2011 07:10 AM

You are doing split tunneling but the ACL configured on Dialer0 is blocking inbound internet traffic.

0 Helpful

Ga22at1709
Level 1
Level 1
In response to Edison Ortiz

‎09-13-2011 07:23 AM

I must have misunderstood the things i have read on the internet about blocking all inbound traffic from the internet.

I thought that when a session was initiated from the inside that a return path was automatically created.

Or do you mean i have blocked that aswell and if so can you tell me what i need to remove to allow it.

Thanks

Gareth

0 Helpful

Ga22at1709
Level 1
Level 1
In response to Edison Ortiz

‎09-13-2011 08:49 AM

Thanks for the help Edison

Sorry for being a bit thick but to make my access list reflexive, if i have understood what i have just read, all i have to do is add reflect (name) to the end of the items that are already there and then create another extended access-list to evaluate the inbound traffic.

Thanks again

Gareth

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to Ga22at1709

‎09-13-2011 09:21 AM

Gareth,

This link explains the process better:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_ip_filter_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1006390

Keep in mind, traffic originated from the router such as routing protocols, IPSec tunnel, etc - can't be evaluated so you need to allow that traffic outside the reflexive list. The link above indicates an example on how EIGRP is allowed along with the reflexive list.

Please remember to rate helpful posts.

Regards,

Edison

0 Helpful
Customers Also Viewed These Support Documents