cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast SD-WAN
627
Views
0
Helpful
1
Replies
Highlighted
Beginner

cisco router 1921 internet problem with vpn site to site connection

I have dsl connection from TE-data from 3com modem in 2 sites. and I have 2 cisco routers 1921 and there is a vpn site to site between them and

the VPN connection is working good. and i configured PAT on one of them to allow the users access the internet but tere is a problem:

all users can ping any public ip

all users can ping any URL

but there is no browsing of the internet

and this is the configuration

NOZHA#sh run
Building configuration...

Current configuration : 2425 bytes
!
! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NOZHA
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool 1
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 4.2.2.2 8.8.8.8
lease infinite
!
!
ip domain name shady2012
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1432C5KM
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key shady2012 address 81.10.xxx.yy
!
!
crypto ipsec transform-set shady2012 esp-aes esp-sha-hmac
!
crypto map s2s-VPN 150 ipsec-isakmp
set peer 81.10.xxx.yy
set pfs group2
match address s2s-vpn-obour
!
!
!
!
!
interface GigabitEthernet0/0
mtu 1000
ip address 41.41.xx.yy 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
crypto map s2s-VPN
!
!
interface GigabitEthernet0/1
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway (41.41.xx.yy)next hop
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source list mypool interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 41.41.xx.yy
ip route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
ip route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
!
ip access-list extended mypool
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
ip access-list extended s2s-vpn-obour
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password
login
!
scheduler allocate 20000 1000
end

if any one have answer please reply ASAP

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

cisco router 1921 internet problem with vpn site to site connect

When you say can ping any URL, i am assuming that you are pinging the FQDN, ie: it does resolve to an ip address, right?

If you disable the VPN, can you browse to the internet?

Do you have any proxy server or anything that might be blocking browsing?

What error message do you get on your web browser?

Do you also try different web browser and none works?

1 REPLY 1
Cisco Employee

cisco router 1921 internet problem with vpn site to site connect

When you say can ping any URL, i am assuming that you are pinging the FQDN, ie: it does resolve to an ip address, right?

If you disable the VPN, can you browse to the internet?

Do you have any proxy server or anything that might be blocking browsing?

What error message do you get on your web browser?

Do you also try different web browser and none works?