cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
946
Views
5
Helpful
3
Replies

Cisco 881 ADSL - Clients Internet traffic sent over VPN

Alekin
Level 1
Level 1

I'm hoping I can get some help here please, I have a number of remote sites all setup the same way with a cisco 881 adsl router which connects back to HQ using an IPSec tunnel. Their internal-bound traffic goes over the VPN as we expect but recently we are now seeing external/Internet bound traffic coming over the VPN. Of course this is being blocked by the HQ firewall which means our remote office users are not able to access Internet at the moment.

 

When I ping 8.8.8.8 or any address on the internet from the remote site router I get a response and trace completes but it fails for the office users if they do same test on laptop.

 

When I ask a user to trace to an external site they do not get past their default gateway which is Vlan1. But a trace to an address in the head ofice completes with no issues. I do not see where a blanket change has been made to affect all sites in the same way I need to look at worarounds to fix this issue though.

 

I'm trying to see if there's a way I can force the user internet traffic to use the WAN instead of the VPN.

 

Below is the main config from my branch adsl router

!
crypto ikev2 proposal abc
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy abc-policy
match fvrf any
proposal abc
!
crypto ikev2 keyring abc-keyring
peer peer1
address 215.150.60.15
pre-shared-key local rxHCCC9vSURynfPz
pre-shared-key remote rxHCCC9vSURynfPz
!
!
crypto ikev2 profile abc-profile
match identity remote address 172.16.28.52 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local abc-keyring
!
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set abc-aes256-sha256 esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto map PathToHQ 1 ipsec-isakmp
description Link to HQ
set peer 215.150.60.15
set security-association lifetime seconds 28800
set transform-set abc-aes256-sha256
set pfs group19
set ikev2-profile abc-profile
match address 100
!
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.6.6.1 255.255.255.0
ip helper-address 10.30.20.101
ip helper-address 172.30.20.101
no autostate
!
interface Dialer0
description
ip address negotiated
encapsulation ppp
ip tcp adjust-mss 1370
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXXXXXXX
ppp chap password 5 XXXXXXXXXXXXXXXXXX
ppp ipcp dns request
ppp ipcp wins request
crypto map PathToHQ
hold-queue 224 in
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip tacacs source-interface Vlan1
ip ssh dscp 40
!
!
access-list 100 permit ip 10.6.6.0 0.0.0.255 any

 

My users are not using any vpn clients they connect to the vlan-switch on the adsl router so they are in vlan1 but get assigned an ip from the HQ dhcp.

 

This is my routing table
S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.6.6.0/24 is directly connected, Vlan1
L 10.6.6.1/32 is directly connected, Vlan1
98.0.0.0/32 is subnetted, 1 subnets
C 98.78.211.102 is directly connected, Dialer0
62.101.72.0/32 is subnetted, 1 subnets
C 62.101.72.18 is directly connected, Dialer0

 

NAT has never been configured on the adsl routers to the best of my knowledge

 

Appreciate any support and guidance

1 Accepted Solution

Accepted Solutions

Alekin
Level 1
Level 1

This issue is now resolved, I raised a ticket with my ISP and they corrected a DNS configuration.  All my sites can now access the internet.

View solution in original post

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Alekin ,

the extended ACL definiing interesting traffic should not use the any keyword

 

access-list 100 permit ip 10.6.6.0 0.0.0.255 any

 

this should be

access-list 100 permit ip 10.6.6.0 0.0.0.255 10.0.0.0 0.255.255.255

or the HQ address block whatever it is ( the private portion)

 

This explains why internet traffic is sent over the IPSEC tunnel.

 

Hope to help

Giuseppe

 

 

 

Hi Giuseppe,

Thanks for your response, that makes perfect sense, but that means I need to identify Microsoft destinations for O365 which transit the internal network.

 

I will test the ACL without 'any' as a work around but think this might impact my users ability to access Outlook as this traffic needs to be NATted behind our HQ firewall.

 

What's bugging me is something seems to have changed external to our network to affect more that 10 sites. seems like I'm stuck between a rock and a hard place!

 

Alekin
Level 1
Level 1

This issue is now resolved, I raised a ticket with my ISP and they corrected a DNS configuration.  All my sites can now access the internet.