Internet Traffic Not Routing Through VPN 891w

reese.steven · ‎02-22-2013

Ok, here's the situation. I have an 891w as my edge device for my home office. I have a VLAN for family use (wired and wireless) that routes out to the internet just fine. I have a second VLAN assigned to a VPN tunnel that backhauls traffic to my corporate network (wired and wireless) and all of the traffic gets to the corporate network fine when I am on that VLAN.

However, while I am on the VPN VLAN, no traffic gets to the internet. I believe it is because I have the gateway of last resort (0.0.0.0) set to the WAN IP address provided by my ISP, so DNS is resolving against corporate, but because there is no specific route, it is trying to dump the traffic back out the WAN without traversing the VPN tunnel.

Anyone know how I can fix that?

Thanks in advance.

jawad-mukhtar · ‎02-23-2013

Can You Post Your Config

Jawad

reese.steven · ‎02-23-2013

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****

!

boot-start-marker

boot system flash c890-universalk9-mz.152-4.M2.bin

boot-end-marker

!

enable secret 4 *****

!

no aaa new-model

clock timezone PCTime -8 0

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-959396971

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-959396971

revocation-check none

rsakeypair TP-self-signed-959396971

!

ip cef

!

ip port-map user-DTV1 port tcp from 27178 to 27179 description DTV1

!

ip dhcp excluded-address 192.168.58.1 192.168.58.150

ip dhcp excluded-address 192.168.58.201 192.168.58.254

ip dhcp excluded-address 10.28.228.1 10.28.228.2

!

ip dhcp pool ccp-pool

import all

network 192.168.58.0 255.255.255.0

default-router 192.168.58.1

dns-server 4.2.2.1 4.2.2.2

lease 2

!

ip dhcp pool router-vlan228-********

network 10.28.228.16 255.255.255.240

option 150 ip 10.28.8.219 10.160.136.201

dns-server 10.28.8.137 10.28.8.138

domain-name ********.corp

default-router 10.28.228.17

!

ip name-server 4.2.2.1

ip name-server 4.2.2.2

ip inspect log drop-pkt

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

!

multilink bundle-name authenticated

!

license udi pid CISCO891W-AGN-A-K9 sn FTX13338104

!

archive

log config

hidekeys

username router privilege 15 secret 5 *****

!

redundancy

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 102

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any All-SVC

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any TMS

match protocol http

match protocol https

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-icmp

match protocol icmp

class-map type inspect match-any DTV1

match protocol user-DTV1

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-all ccp-cls--1

match class-map All-SVC

match access-group name PresNet

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any VPN-allow

match class-map ccp-protocol-icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map DTV1

match access-group name LVGRMDTV

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_VPN_PT

match access-group 101

match class-map SDM_VPN_TRAFFIC

!

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls--1

pass

class class-default

drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

pass

class type inspect sdm-cls-VPNOutsideToInside-1

pass

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect sdm-cls-VPNOutsideToInside-1

pass

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class type inspect ccp-protocol-icmp

pass

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

pass

class type inspect ccp-cls-ccp-permit-1

pass

class type inspect SDM_DHCP_CLIENT_PT

pass

class type inspect ccp-protocol-icmp

pass

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class type inspect ccp-icmp-access

pass

class class-default

pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-self-out source self destination out-zone

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp peer address xxx.xxx.xxx.xxx

set aggressive-mode password *****

set aggressive-mode client-endpoint user-fqdn *****

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

!

crypto map ********VPN 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-AES-256-SHA

match address ********_CRYPTO

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

switchport access vlan 228

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 228

no ip address

spanning-tree portfast

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

description $FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id GigabitEthernet0

ip nbar protocol-discovery

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

crypto map ********VPN

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 192.168.58.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan228

ip address 10.28.228.17 255.255.255.240

zone-member security in-zone

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.58.102 27177 interface GigabitEthernet0 27177

ip nat inside source static tcp 192.168.58.102 27178 interface GigabitEthernet0 27178

ip nat inside source list NONAT interface GigabitEthernet0 overload

!

ip access-list extended LVGRMDTV

remark CCP_ACL Category=128

permit ip any host xxx.xxx.xxx.xxx

ip access-list extended NONAT

deny ip 10.28.228.16 0.0.0.15 10.0.0.0 0.255.255.255

deny ip 10.28.228.16 0.0.0.15 10.160.0.0 0.0.255.255

deny ip 10.28.228.16 0.0.0.15 172.18.0.0 0.1.255.255

deny ip 10.28.228.16 0.0.0.15 172.20.0.0 0.1.255.255

deny ip 10.28.228.16 0.0.0.15 172.30.0.0 0.0.255.255

permit ip 192.168.58.0 0.0.0.255 any

ip access-list extended ********_CRYPTO

permit ip 10.28.228.16 0.0.0.15 10.0.0.0 0.255.255.255

permit ip 10.28.228.16 0.0.0.15 10.160.0.0 0.0.255.255

permit ip 10.28.228.16 0.0.0.15 172.18.0.0 0.1.255.255

permit ip 10.28.228.16 0.0.0.15 172.20.0.0 0.1.255.255

permit ip 10.28.228.16 0.0.0.15 172.30.0.0 0.0.255.255

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

ip sla auto discovery

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.58.0 0.0.0.255

access-list 23 remark CCP_ACL Category=17

access-list 23 permit 192.168.58.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 207.30.28.227 any

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip 10.0.0.0 0.255.255.255 10.28.228.16 0.0.0.15

access-list 102 permit ip 172.18.0.0 0.1.255.255 10.28.228.16 0.0.0.15

access-list 102 permit ip 172.20.0.0 0.1.255.255 10.28.228.16 0.0.0.15

access-list 102 permit ip 172.30.0.0 0.0.255.255 10.28.228.16 0.0.0.15

access-list 102 permit ip 10.28.228.16 0.0.0.15 10.0.0.0 0.255.255.255

access-list 102 permit ip 10.28.228.16 0.0.0.15 172.18.0.0 0.1.255.255

access-list 102 permit ip 10.28.228.16 0.0.0.15 172.20.0.0 0.1.255.255

access-list 102 permit ip 10.28.228.16 0.0.0.15 172.30.0.0 0.0.255.255

no cdp run

!

control-plane

!

mgcp profile default

!

Julio Carvajal · ‎02-23-2013

Hello,

So I would say that the vlan with the issue would be VLAN 228:

If I understood the issue correctly then here is the first step to fix this:

Ip access-list NONAT

permit ip 10.28.228.16 0.0.0.15 any

Give it a try, and let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

reese.steven · ‎02-23-2013

Thanks for the suggestion, however that didn't resolve the issue. What I need to have happen is that any device residing on VLAN228 needs to forward internet requests across the VPN tunnel. Right now, when the request hits the router, the router is trying to send the traffic out the local WAN interface rather than forwarding it to the next hop on the VPN tunnel. That is what I believe is the issue.