Hi experts,
Need your help on below detail.
Head office ASA5520========>EZVPN<=======cisco877 Branch
connectivity from branch office to head office is fine but branch office users are not able to get internet locally. kindly look into below mentioned configurations
ASA config:-
ip local pool Aweer-new 192.168.149.1-192.168.149.254 mask 255.255.255.0
username ****** password ******* encrypted
tunnel-group Aweernew type remote-access
tunnel-group Aweernew general-attributes
address-pool Aweer-new
default-group-policy Aweernew
group-policy Aweernew internal
group-policy Aweernew attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
group-lock value Aweernew
pfs disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnelacl_Aweer_warehouse
default-domain value jashanmal.ae
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
access-list Outside_cryptomap_65534.520 extended permit ip any 192.168.149.0 255.255.255.0
access-list Outside_cryptomap_dyn_530 extended permit ip any 192.168.149.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.149.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 192.168.149.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.149.0 255.255.255.0
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 192.168.149.0 255.255.255.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 192.168.149.0 255.255.255.0
access-list splittunnelacl_Aweer_warehouse extended permit ip 192.6.14.0 255.255.255.0 192.168.149.0 255.255.255.0
access-list splittunnelacl_Aweer_warehouse extended permit ip 10.1.0.0 255.255.0.0 192.168.149.0 255.255.255.0
cisco877 router's config:-
Current configuration : 2632 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AWEER-WH
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.149.1 192.168.149.40
ip dhcp excluded-address 192.168.149.120 192.168.149.126
!
ip dhcp pool DATA
import all
network 192.168.149.0 255.255.255.128
default-router 192.168.149.1
option 150 ip 10.1.2.11 10.1.2.12
!
ip dhcp pool CCTV
import all
network 192.168.149.128 255.255.255.128
default-router 192.168.149.129
!
!
ip name-server 213.42.20.20
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 0 Admin456
username Aweernew password 0 Admin456
!
!
!
!
!
!
crypto ipsec client ezvpn jashanvpn
connect auto
group AWEER key *******
mode network-extension
peer 83.x.x.x
xauth userid mode interactive
!
!E
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/50
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description ---Connected to Cisco 2960 SW ------
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.149.1 255.255.255.128
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn jashanvpn inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname jncaweer
ppp chap password 0 ******
ppp pap sent-username jncaweer password 0 ******
crypto ipsec client ezvpn jashanvpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 110 deny ip 192.168.149.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 192.168.149.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 192.168.149.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community jash RO
snmp-server location -------AWEER WH----
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host 192.6.14.196 version 2c jash
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
end
Traceroute from cisco877 router :-
AWEER-WH#traceroute 4.2.2.2 source vla
AWEER-WH#traceroute 4.2.2.2 source vlan 1
Type escape sequence to abort.
Tracing the route to b.resolvers.Level3.net (4.2.2.2)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Hi Mohammad
On ASA or router should i try this command. ?????
FYI
AWEER-WH#show crypto ipsec sa
interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 86.xx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.149.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 83.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 83541, #pkts encrypt: 83541, #pkts digest: 83541
#pkts decaps: 38658, #pkts decrypt: 38658, #pkts verify: 38658
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 86.98.1.132, remote crypto endpt.: 83.xx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x3BE851E0(1005081056)
inbound esp sas:
spi: 0x63DBA245(1675338309)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4492265/14482)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3BE851E0(1005081056)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4487063/14482)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Dialer0-head-0, local addr 86.98.1.132
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.149.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 83.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 83541, #pkts encrypt: 83541, #pkts digest: 83541
#pkts decaps: 38658, #pkts decrypt: 38658, #pkts verify: 38658
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 86.98.1.132, remote crypto endpt.: 83.xx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x3BE851E0(1005081056)
inbound esp sas:
spi: 0x63DBA245(1675338309)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4492265/14482)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3BE851E0(1005081056)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4487063/14482)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
