Solved: Re: No internet access - Page 2

malbalhaj · ‎11-01-2017

dears, am facing problem accessing internet web browsing through the router, but i already establish a connection VPN between this router and another site and its working fine RDP,ping everything here is my configuration: hostname Router no aaa new-model ! ip nbar http-services ! ip dhcp excluded-address 10.80.49.1 10.80.49.100 ! ip dhcp pool testdhcp network 10.80.49.0 255.255.255.0 default-router 10.80.49.1 dns-server 10.80.80.4 subscriber templating ! ! ! multilink bundle-name authenticated ! ! ! ! diagnostic bootup level minimal spanning-tree extend system-id ! redundancy mode none crypto isakmp policy 7 encr 3des authentication pre-share group 2 crypto isakmp key testkey address 212.12.13.2 ! ! crypto ipsec transform-set juniperset esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map testmap 7 ipsec-isakmp set peer 212.12.13.2 set transform-set juniperset set pfs group2 match address 115 interface GigabitEthernet0/0/0 ip address 10.80.49.1 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet0/0/1 ip address 192.168.8.99 255.255.255.0 ip nat outside negotiation auto crypto map testmap ! ip nat pool internet 10.80.49.1 10.80.49.254 netmask 255.255.255.0 ip nat inside source list 2 pool internet ip forward-protocol nd ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.8.1 ! ! access-list 2 permit 10.80.49.0 0.0.0.255 access-list 115 permit ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255 your help is appreciated.

Georg Pauwen · ‎11-04-2017

Hello,

what does the other side use as peer address ?

interface GigabitEthernet0/0/1
ip address 192.168.8.99 255.255.255.0
ip nat outside
negotiation auto
crypto map testmap

You are using a private space address. What is connected in front of this ?

malbalhaj · ‎11-04-2017

Hello,

the scenario for the connection is Cisco router 4221 connected to Huawai 4G router with DMZ enabled ip 192.168.8.99 with a static IP to be used to other side and my gateway is 192.168.8.1

through this setup i cant up the VPN tunnel successfully i can browse the internet but i cant reach any device on the other side or ping.

if i negate below then i can reach the other side but i cant browse the internet:

ip nat inside source list 101 interface GigabitEthernet0/0/1 overload

access-list 101 permit ip 10.80.49.0 0.0.0.255 any
access-list 101 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

Tinashe Ndhlovu · ‎11-04-2017

mate you are sending us round and round in circles here just post your current configuration. I told you already your VPN is up problem Is your crypto acl is missing or your crypto map under the interface is missing ... just post your config and stop takin us on a ride here mate

Tinashe Ndhlovu · ‎11-04-2017

@malbalhaj wrote:

Hello,

the scenario for the connection is Cisco router 4221 connected to Huawai 4G router with DMZ enabled ip 192.168.8.99 with a static IP to be used to other side and my gateway is 192.168.8.1

through this setup i cant up the VPN tunnel successfully i can browse the internet but i cant reach any device on the other side or ping.

if i negate below then i can reach the other side but i cant browse the internet:

ip nat inside source list 101 interface GigabitEthernet0/0/1 overload

access-list 101 permit ip 10.80.49.0 0.0.0.255 any
access-list 101 deny ip 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255

Mate the deny ip entry must be at the top of the access list not at the bottom As in your case the deny is underneath the permit statement.. place it in top

paul driver · ‎11-05-2017

Hello

Given the addressing below, and that your NAT wasn't working in the OP, how is the vpn peer being reached?

Your default route isnt even pointing to a connected interface, its looks like its recursive and as well is your vpn peer address?

So what is this rtr connected to for it to establish a vpn with the below addressing and default route?

inside nat - 10.80.49.1/24
outside nat 192.168.89.49/24

ipsec interesting traffic 10.80.49.0 0.0.0.255 10.0.0.0 0.255.255.255
crypto peer 212.12.13.2
ip route 0.0.0.0 0.0.0.0 192.168.8.1

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎11-04-2017

Hello

Before any suggestion were made your had vpn connectivity but no internet access.

It was suggested that you require spilt tunneling to allow vpn users to access internet without being encrypted

Your then current configuration for nat consisted:

access-list 2 permit 10.80.49.0 0.0.0.255
ip nat pool internet 10.80.49.0 0.0.0.255 10.80.49.254 netmask 255.255.255.0
ip nat inside source list 2 pool internet

ip route 0.0.0.0 0.0.0.0 192.168.8.1

Which stated to nat your internal lan users with a nat pool of you internal lan users which is a incorrect statement?

So really only what needed to change was access-list 2 or new access-list and a NAT statement.

So can you confirm at this time what is now applied to the rtr regards NAT and access-lists?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul