Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

Cannot Access PCs if Internet is enabled

Create Share
Level 1
Level 1

‎04-28-2013 11:30 AM

Hi!

I have a branch office connected to the Head Office through a VPN Tunnel in cisco 1841 Router. If i enable Internet for any pc in Branch Office through cisco router i cannot access it remotely from Head Office.

Any Suggestions?

Thanks.

Branch Router Configuration:

boot-start-marker
boot-end-marker
!
enable password
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server ispdns1
ip name-server ispdns2
ip name-server ispdns3
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-template 1
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
l2tp tunnel timeout no-session 15
!
!
!
!
!
!
username vpn password 0 vpn
!
!
!
!
!
!
interface Tunnel1
description VPN To Head-Office
ip address 10.10.10.10 255.255.255.252
tunnel source router public ip
tunnel destination head office router public ip
!
interface GigabitEthernet0/0
description WAN
ip address public ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
peer default ip address pool vpn
no keepalive
ppp authentication pap chap ms-chap
!
ip local pool vpn 192.168.1.101 192.168.1.105
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool ovrld public ip address prefix-length 30
ip nat inside source list 102 pool ovrld overload
ip nat inside source static tcp 192.168.1.2 3389 interface GigabitEthernet0/0 3
389
ip route 0.0.0.0 0.0.0.0 public ip
ip route 192.168.10.0 255.255.255.0 Tunnel1
ip route 192.168.1.0 255.255.255.0 Tunnel1
ip route 192.168.100.1 255.255.255.255 Public IP WAN Link CPE
!
access-list 102 permit ip host 192.168.1.11 any
access-list 102 permit ip host 192.168.1.12 any

!
!
!
control-plane
!
!
line con 0
password
login
line aux 0
line vty 0 4
password
login
transport input all
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
2 Replies 2

Matt Lang
Level 1
Level 1

‎04-29-2013 02:17 PM

It looks like access-list 102 may be causing your issue.  You need to bypass NAT when going across the tunnel, so try the following.

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 102 deny ip any 192.168.10.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Matt

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to Matt Lang

‎04-29-2013 08:41 PM

Well Nat exempt should not be the issue as the packet would be gre encapsulated.

But why you have a route for 192.168.1.0/24 thru tunnel1 interface. This is your local lan subnet.

You need to remove the following route entry

no ip route 192.168.1.0 255.255.255.0 Tunnel1

Hope that helps

Thanks,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents