Solved: INTERNET is not working while VPN ON - Page 2

CSCO11638397 · ‎09-19-2012

Hi,

I have being working to resolve an issue on cisco eazy vpn network extented for a week. while the VPN is connected the internet is not working, I thought it was from remote side, now I believe it might be server side configuration issue because of I try on serveral place the same config for remote side the internet is getting lost for the user. still can ping 4.2.2.2 from the router itself. please help me to solve this issue.,,,

HO Router config

!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xy 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx
!

ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny ip host 192.168.0.16 any
access-list 111 deny ip host 192.168.0.16 any log
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 133 deny ip host 192.168.0.16 10.10.10.0 0.0.0.255
!

Remote office

Router#show run
Building configuration...

Current configuration : 2243 bytes
!
! Last configuration change at 08:34:12 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 6Uhgk1ATmwo4j3eoSZScCqsB/Q1llvengtFuqfN8mh6
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server m
ip name-server m
no ipv6 cef
!
!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.xy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.200.192.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-OFFICE-VPN inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyy
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 120 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 deny ip 10.200.192.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 10.200.192.0 0.0.0.255 any

Note: no issue when using VPN clinet software

Jennifer Halim · ‎09-20-2012

Here is a sample LAN-to-LAN vpn configuration between 2 IOS routers:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

and yes, it works the same as NEM.

You can downgrade it by just tftp the image to the router, and configure the "boot system flash:"

Then "wr mem", and reload the router.

CSCO11638397 · ‎09-21-2012

Hi,

I have try the same config in another IOS version, still same issue, cannot access the Internet. for the LAN-to LAN both location need routerble IP, in my case I have only one routerble IP at HO, and need a solution using HO IP. any idea..

ADSL#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 16:47 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

ADSL uptime is 8 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-15.T1.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877 (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory.
Processor board ID FCZ1125247P
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Jennifer Halim · ‎09-21-2012

Here is a sample config for dynamic to static LAN-to-LAN VPN tunnel:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Ashley Sahonta · ‎09-21-2012

I would recommend using a standard ACL for your split tunneled ACL