Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
8
Replies

VPN Tunnel Traffic can't get to the Internet

travis-dennis_2
Level 7
Level 7

‎06-25-2002 08:24 PM - edited ‎02-21-2020 11:50 AM

I have a 3002 in network extension mode on a 10.0.3.x subnet coming into a 3005 with an inside interface of 10.0.0.21. Central site is a 10.0.0.x. I have an inside router to tell the 10.0.3.x traffic to go ove to the inside interface of the 3005 and all Internet traffic to take the next hop which is a PIX at 10.0.0.25 to get out to the Internet. Perimeter router is a 3640 with a public IP. The 3002 traffic gets to network resources fine and I even have an IP Phone behind it as well that is working but the 3002 traffic cannot get back out to the Internet. For security reasons I can't allow split tunneling. Here is my inside router config. I think the 3002 packets are looping as the router sends all 10.0.2.x traffic to the 3005 but the 3005 then sends all internet traffic back to the same router. The tunnel default gateway is 10.0.0.18 but I have tried it as 10.0.0.25 but no luck.

interface FastEthernet0/0

ip address 10.0.0.18 255.255.255.0

no ip directed-broadcast

speed auto

full-duplex

no cdp enable

!

interface FastEthernet0/1

no ip address

no ip directed-broadcast

shutdown

speed auto

full-duplex

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.25

ip route 10.0.3.0 255.255.255.0 10.0.0.21

no ip http server

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

Any Ideas?

Labels:
0 Helpful
8 Replies 8

paqiu
Level 1
Level 1

‎06-25-2002 11:05 PM

1 Please double check your PIX, you have nat and global also include 10.0.3.0/24 to going out the internet.

2 Please enable reverse routing ejection for the harware client in the VPN 3000, it will help to resolve the routing issues there.

Here is the link how to enable it. It looks complex, actually just one click in both VPN 3000 and VPN 3002:

http://www.cisco.com/warp/customer/471/rri.html

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to paqiu

‎06-26-2002 04:25 PM

I was able to do it on the 3005 but could not find it on the 3002 and TAC said it can't be done on the 3002 even though the link you sent me says it can. I have a proper software load on the 3002 according to the paper. I have 3.5.2 and the paper saids anything above 3.5 should do. Any thoughts? My PIX is set up to allow any subnet out by nat using the global.

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to travis-dennis_2

‎06-26-2002 05:30 PM

Does the pix have a route inside for the vpn3002 subnet pointed to the inside router? Actually, if you try and ping the inside of the pix from the client side, do you get a reply?

0 Helpful

paqiu
Level 1
Level 1
In response to travis-dennis_2

‎06-26-2002 05:41 PM

For reverse routing ejection, you do not need to do anything in the 3002 end.

Only enable it on the 3005 end, please turn down the tunnel between the 3002 and 3005, then rebuild the tunnel.

After that, the remote network behind 3002 will show up in the routing table on 3005.

After that, try to do a ping to your PIX inside interface ip address, make sure you can reach to the PIX inside interface. Otherwise, you still have some routing issues between the VPN 3005 and PIX.

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to paqiu

‎06-26-2002 06:06 PM

Thatnks Paul, The 3002 is now shwing up on the routeing table on the 3005 byt the 3002 still cannot ping the PIX. Can you take a look at this config on the inside router and tell me what might be wrong?

ip subnet-zero

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.18 255.255.255.0

no ip directed-broadcast

speed auto

full-duplex

no cdp enable

!

interface FastEthernet0/1

no ip address

no ip directed-broadcast

shutdown

speed auto

full-duplex

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.25

ip route 10.0.3.0 255.255.255.0 10.0.0.21

no ip http server

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

password cisco

login

!

end

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to travis-dennis_2

‎06-26-2002 06:33 PM

Check the pix, you need a route inside statement there as well for the 10.0.3.X back to the router.

0 Helpful

paqiu
Level 1
Level 1
In response to travis-dennis_2

‎06-26-2002 06:36 PM

The router cofig is good.

Please upload the PIX config here and I will take a look.

Do you have "route inside 10.0.3.0 255.255.255.0 (your router's ip address)"

I guess you might have not config the return route in the PIX.

Best Regards,

0 Helpful

paqiu
Level 1
Level 1

‎06-26-2002 06:41 PM

Actually, you only need "route inside 10.0.3.0 255.255.255.0 10.0.0.21" on the PIX will do.

You do not need the router to do the routing for you.

Because the inside interface of the 3005 10.0.0.25 and inside interface of the PIX 10.0.0.25 is in the same subnet.

Best Regards,

0 Helpful
Customers Also Viewed These Support Documents