Vpn works but not internet from the 1 site

Unanswered Question
Mar 11th, 2007

Hi i have 3 876 and i want to make a tunnel so i can have a vpn to my networks.. when i connect the 2 of them tunnel works but i don't have Internet to my second network! here's my startup-config..

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxx

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

ip cef

!

!

ip name-server 195.170.0.2

vpdn enable

!

!

!

crypto pki trustpoint TP-self-signed-3526170264

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3526170264

revocation-check none

rsakeypair TP-self-signed-3526170264

!

!

crypto pki certificate chain TP-self-signed-3526170264

certificate self-signed 01 nvram:IOS-Self-Sig#3402.cer

username xxxxx privilege 15 password xxxxx

!

!

no crypto isakmp enable

!

!

!

interface Tunnel0

ip address 192.168.100.2 255.255.255.0

no ip redirects

no ip proxy-arp

tunnel source staticIP

tunnel destination staticIP

tunnel key xxxxxx

tunnel path-mtu-discovery

!

interface Tunnel1

ip address 192.168.200.2 255.255.255.0

no ip redirects

no ip proxy-arp

tunnel source staticIP

tunnel destination staticIP

tunnel key xxxxx

tunnel path-mtu-discovery

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.16.1.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxxx password xxxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.0.0 255.255.255.0 Tunnel0

ip route 172.16.2.0 255.255.255.0 Tunnel1

!

ip http server

ip http secure-server

ip nat pool internet staticIP staticIP netmask 255.255.255.0

ip nat inside source list 10 pool internet overload

!

access-list 10 permit 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

exec-timeout 120 0

password xxxxxx

logging synchronous

login

no modem enable

transport output all

stopbits 1

line aux 0

transport output all

line vty 0 4

access-class 23 in

exec-timeout 120 0

password xxxxxx

login local

transport preferred telnet

transport input telnet

transport output all

!

scheduler max-task-time 5000

end

I think my problem is somewhere at dynamic nat plz help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ggilbert Mon, 03/12/2007 - 10:04

How about you change the ACL 10 to an extended ACL and apply it to the NATting statement.

access-l 100 per ip 172.16.1.0 0.0.0.255 any

ip nat inside source list 100 pool internet overload

Also you might want to add a deny entry for the remote GRE network you are trying to access.

Let say your remote GRE network is 172.16.0.0/24 then your ACL 100 should be like

access-l 100 deny ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-l 100 permit ip 172.16.1.0 0.0.0.255 any

Let me know if this works out

Thanks

Gilbert

Actions

This Discussion