08-08-2012 01:52 AM
Hi,
I have recently configure site to site VPN on over cisco 800 series router, ISP provide us public ip. The below configuration is working for internet, when I'm giving the crypto map command under the interface dialer 0, internet connection will down. I cannot ping outside as well. Please looking to the config and advise.
hostname VPN
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.202
!
ip dhcp pool LOCAL
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1 255.255.255.0
lease 8
!
!
!
username user password 0 cisco
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco.12345 address xx.xx.yy.yy
!
!
crypto ipsec transform-set VPN1 esp-3des esp-md5-hmac
!
crypto map LOCACTION1-VPN 10 ipsec-isakmp
set peer xx.xx.yy.yy
set transform-set VPN1
match address 130
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname **username**
ppp chap password 0 **password**
ppp pap sent-username **username** password 0 **password**
crypto map LOCACTION1-VPN
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
!
access-list 120 permit ip any any
access-list 130 permit ip any any
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
NOTE: I try config separate sub interface for atm 0 (interace atm 0.2 P 2 P) and gave the values but still the same problem.
Solved! Go to Solution.
08-08-2012 09:49 AM
While I do understand the logic of John's suggestion to post in the VPN forum, I believe that this post is about problems that are not just VPN related and therefore posting in this forum is appropriate from my point of view.
Part of the reason why Internet access fails when the crypto map is applied is that the access list used for the IPSec encryption does a permit ip any any. So when the crypto map is applied to the interface then ALL traffic is encrypted and attempts to go through the VPN. So in a sense this problem is a problem with routing since you have introduced a condition that changes how you attempt to forward traffic to the Internet.
I will also point out that the access list used to control address translation also does a permit ip any any. So as you try to send traffic out the VPN you will also be trying to translate the addresses. I believe that this also causes a problem.
So the solution to the issues is probably to rewrite access list 120 and 130 to more specifically identify what traffic should go through the VPN and what traffic should have its address translated.
HTH
Rick
08-08-2012 02:28 AM
hi mohamed,
please move your post to the Security section (VPN) so that i or other folks can help you troubleshoot. thanks!
08-08-2012 09:49 AM
While I do understand the logic of John's suggestion to post in the VPN forum, I believe that this post is about problems that are not just VPN related and therefore posting in this forum is appropriate from my point of view.
Part of the reason why Internet access fails when the crypto map is applied is that the access list used for the IPSec encryption does a permit ip any any. So when the crypto map is applied to the interface then ALL traffic is encrypted and attempts to go through the VPN. So in a sense this problem is a problem with routing since you have introduced a condition that changes how you attempt to forward traffic to the Internet.
I will also point out that the access list used to control address translation also does a permit ip any any. So as you try to send traffic out the VPN you will also be trying to translate the addresses. I believe that this also causes a problem.
So the solution to the issues is probably to rewrite access list 120 and 130 to more specifically identify what traffic should go through the VPN and what traffic should have its address translated.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide