Solved: Re: No internet access

malbalhaj · ‎11-01-2017

dears, am facing problem accessing internet web browsing through the router, but i already establish a connection VPN between this router and another site and its working fine RDP,ping everything here is my configuration: hostname Router no aaa new-model ! ip nbar http-services ! ip dhcp excluded-address 10.80.49.1 10.80.49.100 ! ip dhcp pool testdhcp network 10.80.49.0 255.255.255.0 default-router 10.80.49.1 dns-server 10.80.80.4 subscriber templating ! ! ! multilink bundle-name authenticated ! ! ! ! diagnostic bootup level minimal spanning-tree extend system-id ! redundancy mode none crypto isakmp policy 7 encr 3des authentication pre-share group 2 crypto isakmp key testkey address 212.12.13.2 ! ! crypto ipsec transform-set juniperset esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map testmap 7 ipsec-isakmp set peer 212.12.13.2 set transform-set juniperset set pfs group2 match address 115 interface GigabitEthernet0/0/0 ip address 10.80.49.1 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet0/0/1 ip address 192.168.8.99 255.255.255.0 ip nat outside negotiation auto crypto map testmap ! ip nat pool internet 10.80.49.1 10.80.49.254 netmask 255.255.255.0 ip nat inside source list 2 pool internet ip forward-protocol nd ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.8.1 ! ! access-list 2 permit 10.80.49.0 0.0.0.255 access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255 your help is appreciated.

Tinashe Ndhlovu · ‎11-04-2017

@malbalhaj wrote:

Hello,

the scenario for the connection is Cisco router 4221 connected to Huawai 4G router with DMZ enabled ip 192.168.8.99 with a static IP to be used to other side and my gateway is 192.168.8.1

through this setup i cant up the VPN tunnel successfully i can browse the internet but i cant reach any device on the other side or ping.

if i negate below then i can reach the other side but i cant browse the internet:

ip nat inside source list 101 interface GigabitEthernet0/0/1 overload

access-list 101 permit ip 10.80.49.0 0.0.0.255 any
access-list 101 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

Mate the deny ip entry must be at the top of the access list not at the bottom As in your case the deny is underneath the permit statement.. place it in top

View solution in original post

paul driver · ‎11-04-2017

Hello

Before any suggestion were made your had vpn connectivity but no internet access.

It was suggested that you require spilt tunneling to allow vpn users to access internet without being encrypted

Your then current configuration for nat consisted:

access-list 2 permit 10.80.49.0 0.0.0.255
ip nat pool internet 10.80.49.0 0.0.0.255 10.80.49.254 netmask 255.255.255.0
ip nat inside source list 2 pool internet

ip route 0.0.0.0 0.0.0.0 192.168.8.1

Which stated to nat your internal lan users with a nat pool of you internal lan users which is a incorrect statement?

So really only what needed to change was access-list 2 or new access-list and a NAT statement.

So can you confirm at this time what is now applied to the rtr regards NAT and access-lists?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-01-2017

Hello,

you need to exclude VPN traffic from NAT. I changed the access list used for NAT (changes in bold). This needs to be done for the reverse traffic on the other side too.

Also, your NAT pool consists of inside address, this doesn't work, so I took the line out...

hostname Router
no aaa new-model
!
ip nbar http-services
!
ip dhcp excluded-address 10.80.49.1 10.80.49.100
!
ip dhcp pool testdhcp
network 10.80.49.0 255.255.255.0
default-router 10.80.49.1
dns-server 10.80.80.4

subscriber templating
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
redundancy mode none
crypto isakmp policy 7
encr 3des authentication pre-share
group 2

crypto isakmp key testkey address 212.12.13.2
!
crypto ipsec transform-set juniperset esp-3des esp-sha-hmac mode tunnel
!
crypto map testmap 7 ipsec-isakmp
set peer 212.12.13.2
set transform-set juniperset
set pfs group2
match address 115

interface GigabitEthernet0/0/0
ip address 10.80.49.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.8.99 255.255.255.0
ip nat outside
negotiation auto
crypto map testmap
!
ip nat inside source list 100 interface GigabitEthernet0/0/1 overload
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
access-list 100 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit 10.80.49.0 0.0.0.255

!
access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

malbalhaj · ‎11-03-2017

hello,

i`ve done the changes but the below access-list cant be applied:

access-list 100 permit 10.80.49.0 0.0.0.255

below changes where applied and i still ping other side vpn:

ip nat inside source list 100 interface GigabitEthernet0/0/1 overload

access-list 100 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

paul driver · ‎11-03-2017

Hello

Basically what needs to be done is split tunneling -And this is what Georg is requesting you to do. You to negate the vpn interesting traffic between your two vpn sites from being Network translated.

Try deleting the access-list 100 and recreate it.

no access-list 100
access-list 100 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any

or
no access-list 100
access-list 100 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.80.49.0 0.0.0.255 any

Also reverse this config for the other side of the vpn

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

malbalhaj · ‎11-03-2017

Hi,

i applied below config then i can access the internet and the VPN tunnel is MM_NO_STATE.

regards

Tinashe Ndhlovu · ‎11-03-2017

Please send through the configuration you currently have on your router right now. The first reply should have fixed your problem just they left out "ip" in the access list statement... just paste your current config let's see what you are working with

malbalhaj · ‎11-03-2017

Hi,

this is my configuration now this can able be to reach anything on the other side of VPN, but i cant access internet.

hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!

ip dhcp excluded-address 10.80.49.1 10.80.49.100
!
ip dhcp pool LocalDhcp
network 10.80.49.0 255.255.255.0
dns-server 8.8.8.8 10.80.32.30
default-router 10.80.49.1
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!

diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!

crypto isakmp policy 7
encr 3des
authentication pre-share
group 2
crypto isakmp key testkey address 212.12.13.2
!
!
crypto ipsec transform-set juniperset esp-3des esp-sha-hmac
mode tunnel
!
!
crypto map testmap 7 ipsec-isakmp
set peer 212.12.13.2
set transform-set juniperset
set pfs group2
match address 115
!
!
interface GigabitEthernet0/0/0
ip address 10.80.49.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.8.99 255.255.255.0
ip nat outside
negotiation auto
crypto map testmap
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
!
access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

Georg Pauwen · ‎11-03-2017

Hello,

add the lines in bold to your configuration:

hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!

ip dhcp excluded-address 10.80.49.1 10.80.49.100
!
ip dhcp pool LocalDhcp
network 10.80.49.0 255.255.255.0
dns-server 8.8.8.8 10.80.32.30
default-router 10.80.49.1
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!

diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!

crypto isakmp policy 7
encr 3des
authentication pre-share
group 2
crypto isakmp key testkey address 212.12.13.2
!
!
crypto ipsec transform-set juniperset esp-3des esp-sha-hmac
mode tunnel
!
!
crypto map testmap 7 ipsec-isakmp
set peer 212.12.13.2
set transform-set juniperset
set pfs group2
match address 115
!
!
interface GigabitEthernet0/0/0
ip address 10.80.49.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.8.99 255.255.255.0
ip nat outside
negotiation auto
crypto map testmap
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
ip nat inside source list 101 interface GigabitEthernet0/0/1 overload
!
access-list 101 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit 10.80.49.0 0.0.0.255 any
!
access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

malbalhaj · ‎11-03-2017

Hello,

Applied i can access internet and VPN is up but i cant reach the other side of VPN, and am receiving below log:

*Nov 4 04:11:25.668: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 58.218.198.156

regards

Tinashe Ndhlovu · ‎11-03-2017

Yep like I said the first reply from Mark was going to help just he missed an "ip" in the access-list do as the last reply says and you should be good

malbalhaj · ‎11-03-2017

Hi,

yes you are right i add the missed ip to be applied connected to the internet but i cant reach other side VPN and its UP with below log :

*Nov 4 04:11:25.668: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 58.218.198.156

Tinashe Ndhlovu · ‎11-03-2017

Run the following command:

show crypto ipsec sa

and post the output..

malbalhaj · ‎11-03-2017

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/1
Crypto map tag: testmap, local addr 192.168.8.99

protected vrf: (none)
local ident (addr/mask/prot/port): (10.80.49.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 212.12.13.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 84, #pkts decrypt: 84, #pkts verify: 84
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.8.99, remote crypto endpt.: 212.12.13.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x1A8C82BF(445416127)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x94228AEB(2485291755)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4608000/3193)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xDB01B754(3674322772)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80004048, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4607992/3199)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCB26D14F(3408318799)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4608000/3193)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x1A8C82BF(445416127)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80004048, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4608000/3199)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Tinashe Ndhlovu · ‎11-03-2017

Well the VPN is up and you are recieving packets from the other end. Something seems to be wrong with your Crypto-ACL for interesting traffic. Please send you current full config again

malbalhaj · ‎11-04-2017

Router#show running-config full
Building configuration...

version 16.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!

ip dhcp excluded-address 10.80.49.1 10.80.49.100
!
ip dhcp pool LocalDhcp
network 10.80.49.0 255.255.255.0
dns-server 8.8.8.8 10.80.32.30
default-router 10.80.49.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
mode none

!
crypto isakmp policy 7
encr 3des
authentication pre-share
group 2
crypto isakmp key testkey address 212.12.13.2
!
!
crypto ipsec transform-set juniperset esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map testmap 7 ipsec-isakmp
set peer 212.12.13.2
set transform-set juniperset
set pfs group2
match address 115
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.80.49.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.8.99 255.255.255.0
ip nat outside
negotiation auto
crypto map testmap
!
ip nat inside source list 101 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
!
access-list 101 permit ip 10.80.49.0 0.0.0.255 any
access-list 101 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!

!
end