Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
1
Replies

cisco router 1921 internet problem with vpn site to site connection

Fatouh3366
Level 1
Level 1

‎09-20-2012 05:56 AM - edited ‎03-07-2019 08:59 AM

I have dsl connection from TE-data from 3com modem in 2 sites. and I have 2 cisco routers 1921 and there is a vpn site to site between them and

the VPN connection is working good. and i configured PAT on one of them to allow the users access the internet but tere is a problem:

all users can ping any public ip

all users can ping any URL

but there is no browsing of the internet

and this is the configuration

NOZHA#sh run
Building configuration...

Current configuration : 2425 bytes
!
! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NOZHA
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool 1
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 4.2.2.2 8.8.8.8
lease infinite
!
!
ip domain name shady2012
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1432C5KM
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key shady2012 address 81.10.xxx.yy
!
!
crypto ipsec transform-set shady2012 esp-aes esp-sha-hmac
!
crypto map s2s-VPN 150 ipsec-isakmp
set peer 81.10.xxx.yy
set pfs group2
match address s2s-vpn-obour
!
!
!
!
!
interface GigabitEthernet0/0
mtu 1000
ip address 41.41.xx.yy 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map s2s-VPN
!
!
interface GigabitEthernet0/1
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway (41.41.xx.yy)next hop
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source list mypool interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 41.41.xx.yy
ip route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
ip route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
!
ip access-list extended mypool
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
ip access-list extended s2s-vpn-obour
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password
login
!
scheduler allocate 20000 1000
end

if any one have answer please reply ASAP.

Labels:
0 Helpful
1 Reply 1

John Blakley
VIP Alumni
VIP Alumni

‎09-20-2012 06:48 AM

There are a couple of things I would change:

1. Remove the ip default-gateway line. It's not needed if you have routing enabled.

2. On your interfaces, you can remove "ip nat inside" and "ip nat outside". The way that you have your nat line, only requires the "ip nat enable". If you want to keep the "ip nat inside/outside", you can change your nat statement to read "ip nat inside source list mypool interface g0/0 overload"

3. I would tie the specific internal subnets to the acl that's used in your nat statement instead of using "permit ip any any". Try:

ip access-list extended mypool

deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 any

permit ip 192.168.21.0 0.0.0.255 any

4. You have "ip dns server" enabled, yet you're handing over Verizon and Google addresses. You should be able to disable the dns server on the router if you won't be using it to forward your requests.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card