Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
5
Helpful
2
Replies

Cisco 877 K9 vpn issues (no internet)

c.console
Level 1
Level 1

‎05-26-2012 06:27 AM

Hi.

A colleague ask me to check the vpn configuration issues on a cisco 877 used on a office.

The cisco vpn client (ver. 5) close the VPN correctly and the vpn user can browse the lan with no problem but cannot surf the internet :-(

Here is the show run:

Current configuration : 3617 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ROUTER01

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$FfuR$c/ZT5M5piz34l.534Y8k21

!

aaa new-model

!

!

aaa authentication login xauthlist local

aaa authorization network groupauthor local

!

!

aaa session-id common

!        

!        

dot11 syslog

no ip cef

!        

!        

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1 10.0.1.10

ip dhcp excluded-address 10.0.1.60 10.0.1.200

!        

ip dhcp pool LAN

   network 10.0.1.0 255.255.255.0

   default-router 10.0.1.10

   dns-server 10.0.1.200 8.8.8.8

   domain-name MYDOMAIN

   lease infinite

!        

!        

ip name-server 10.0.1.200

ip name-server 8.8.8.8

ip inspect log drop-pkt

ip inspect name Firewall cuseeme

ip inspect name Firewall dns

ip inspect name Firewall ftp

ip inspect name Firewall h323

ip inspect name Firewall https

ip inspect name Firewall icmp

ip inspect name Firewall imap

ip inspect name Firewall pop3

ip inspect name Firewall rcmd

ip inspect name Firewall realaudio

ip inspect name Firewall rtsp

ip inspect name Firewall esmtp

ip inspect name Firewall sqlnet

ip inspect name Firewall streamworks

ip inspect name Firewall tftp

ip inspect name Firewall tcp

ip inspect name Firewall udp

ip inspect name Firewall vdolive

!        

multilink bundle-name authenticated

!        

!        

username vpnuser password 0 vpnuser

!        

!        

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2 

!        

crypto isakmp client configuration group remote-users

key password

dns 10.0.1.200

wins 10.0.1.200

domain MYDOMAIN

pool ippool

!        

!        

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac

!        

crypto dynamic-map dynmap 10

set transform-set myset

!        

!        

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!        

archive  

log config

  hidekeys

!        

!        

!        

!        

!        

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!       

dsl operating-mode adsl2+

hold-queue 224 in

!        

interface FastEthernet0

!        

interface FastEthernet1

!        

interface FastEthernet2

!        

interface FastEthernet3

!        

interface Vlan1

ip address 10.0.1.10 255.255.255.0

ip nat inside

ip virtual-reassembly

!        

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp pap sent-username aliceadsl password 0 aliceadsl

crypto map clientmap

!        

ip local pool ippool 10.16.20.1 10.16.20.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 10.0.1.2

!        

!        

ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056

ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056

ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111

ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111

ip nat inside source list 101 interface Dialer0 overload

!        

access-list 101 remark *** ACL nonat ***

access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

access-list 150 remark *** ACL split tunnel ***

access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255

!        

!        

!        

!        

control-plane

!        

!        

line con 0

no modem enable

line aux 0

line vty 0 4

!        

scheduler max-task-time 5000

end

Someone can help me ?

Thanks a lot

Labels:
0 Helpful
2 Replies 2

Vishnu Sharma
Level 1
Level 1

‎05-26-2012 09:49 AM

Hi,

I went through the configuration you just pasted and I see split tunneling is not enabled.

I think you are looking for this document:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Your configuration:

crypto isakmp client configuration group remote-users

key password

dns 10.0.1.200

wins 10.0.1.200

domain MYDOMAIN

pool ippool

Configuration in the document:

crypto isakmp client configuration group vpnclient

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

acl 101

The acl 101 (split tunneling access-list) is missing from your configuration.

Let me know if this helps.

Thanks,

Vishnu Sharma

c.console
Level 1
Level 1
In response to Vishnu Sharma

‎05-26-2012 10:29 AM

Thanks Vishnu !

Now the rem,ote user can browse the lan and internet too :-)

My fault anyway... think i have read the config. too quick and not see the missing acl :-(

0 Helpful
Customers Also Viewed These Support Documents