VPN connects but internet surfing stops

Answered Question
Jun 8th, 2009
User Badges:

Dear All,


When I connect to my company network via cisco vpn client, it successfully connects and all the required applications Runs BUT


Internet traffic stops, resulting, No Browsing, etc etc,,,


Please advise, whether I need to check vpn client's configuration or do I need to add something in my cisco 2811 router,


Regards,


Junaid

Correct Answer by Todd Pula about 7 years 11 months ago

There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.


EasyVPN w/ Split Tunneling Sample:


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf8.pdf


VPN Client Public Internet On A Stick:


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Todd Pula Mon, 06/08/2009 - 13:25
User Badges:
  • Silver, 250 points or more

There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.


EasyVPN w/ Split Tunneling Sample:


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf8.pdf


VPN Client Public Internet On A Stick:


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

junshah22 Mon, 06/08/2009 - 23:52
User Badges:

Hi,


you provided link of:


Router and VPN Client for Public Internet on a Stick Configuration Example


The author used some ip address which is not mentioned in the diagram,,, I found this kind of mistakes in so much examples,,


Can you please explain,,,


interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly


where is the 10.11.0.1 ???????



Farrukh Haroon Tue, 06/09/2009 - 01:45
User Badges:
  • Red, 2250 points or more

Dear Junaid


In the hairpinning scenario the VPN client traffic arrives at the outside interface and exits using the same interface.


The Loopback is used because the Cisco Router's NAT feature requires (at least in old versions) to speciify the NAT inside and outside interfaces. So traffic from VPN clients is policy routed to the loopback interface (inside), which is then transted at the Internet interface (outside).


Regards


Farrukh

junshah22 Tue, 06/09/2009 - 05:51
User Badges:

Dear Farrukh,


Thanks for your explanation,,



Regards,


Junaid

junshah22 Wed, 06/10/2009 - 00:51
User Badges:

Dear,


I am currently using first method,, XAUTH AND SPLIT TUNNELING


I successfully connect to my network and at the same time internet runs on the remote pc,,, but,, remote PC unable to use resources inside my network


I have applied Cisco ASA 5510 very next to my router,, Servers are connected to its DMZ interface,,


DO i need to add NAT..


IF I add

ip nat inside (at inside interface)

and

ip nat outside (at outside interface) of the router,, and make an acl


access-list 160 permit ip any any

access-list 160 permit tcp any any


ip nat inside source list 160 interface fastethernet 0/1 overload


By adding these commands, My remote PC starts connecting with my internal network,, but its Internet service stops...


Please HELP


Regards,


Junaid

Farrukh Haroon Wed, 06/10/2009 - 06:01
User Badges:
  • Red, 2250 points or more

You need to change the ACL on the router, currently its going to Policy route/NAT all traffic from VPN clients out to the internet. Deny the Remote Site >> HQ subnets traffic from the ACL.


And of course you need to permit this in the ASA as well.


Regards


Farrukh

junshah22 Thu, 06/11/2009 - 20:04
User Badges:

Dear Farrukh,


I am sending you Router configuration in this post and ASA configuration in next post, Please review it and Advise,


ROUTER CONFIG

-------------

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


boot-start-marker

boot-end-marker


enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxChhf0

enable password xxxxxxx

aaa new-model


aaa authentication login userlist local

aaa authorization network vpnclient local

aaa session-id common

resource policy


memory-size iomem 15

clock timezone - 0 6

no ip source-route


ip cef


ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12


voice-card 0

no dspfarm


username Junaid privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxtguY.

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local dynpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool dynpool

acl 150

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac


crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route


crypto map dynmap client authentication list userlist

crypto map dynmap isakmp authorization list vpnclient

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap


interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1

ip address 55.55.55.55 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map dynmap


ip local pool dynpool 192.168.74.150 192.168.74.254

ip route 0.0.0.0 0.0.0.0 55.55.55.57

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0 192.168.74.2

ip route 192.168.4.0 255.255.255.0 192.168.74.2

ip route 192.168.5.0 255.255.255.0 192.168.74.2

ip route 192.168.6.0 255.255.255.0 192.168.74.2

ip route 192.168.7.0 255.255.255.0 192.168.74.2

ip route 192.168.8.0 255.255.255.0 192.168.74.2

ip route 192.168.9.0 255.255.255.0 192.168.74.2

ip route 192.168.10.0 255.255.255.0 192.168.74.2

ip route 192.168.11.0 255.255.255.0 192.168.74.2

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source list 160 interface FastEthernet0/1 overload

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit tcp any any eq ftp

permit tcp any any eq smtp

permit tcp any any eq pop3

permit ip host 192.168.2.81 any

permit ip host 192.168.10.7 any

permit ip host 192.168.4.82 any

permit ip host 192.168.4.83 any

permit ip any host 66.241.216.167

permit ip host 192.168.11.11 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.35.0 0.0.0.255 any


access-list 150 permit ip any any

access-list 150 permit tcp any any

access-list 160 permit ip any any

access-list 160 permit tcp any any


snmp-server community public RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

no cdp run

control-plane

line con 0

password sunroof

line aux 0

line vty 0 4

password Pajero

scheduler allocate 20000 1000

end


junshah22 Thu, 06/11/2009 - 20:10
User Badges:

Here is ASA Configuration

-------------------------

ASA Version 7.0(7)


hostname MTL-ASA

domain-name millat.com.pk


enable password lRxxxxxxxxxxxNh encrypted

names

dns-guard


interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.74.2 255.255.255.0


interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.1.18 255.255.255.0


interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0


interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address 192.168.90.1 255.255.255.0

management-only


passwd lRxxxxxxxxxxxxNh encrypted


ftp mode passive


access-list outside_to_DMZ extended permit ip 192.168.74.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_to_DMZ extended permit tcp any any eq 3389

access-list outside_to_DMZ extended permit ip any any

access-list outside_to_DMZ extended permit tcp any any


pager lines 24

logging asdm informational


mtu outside 1500

mtu DMZ 1500

mtu inside 1500

mtu management 1500


no failover

asdm image disk0:/asdm-507.bin


no asdm history enable


arp timeout 14400


static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255

access-group outside_to_DMZ in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.74.1 1

route outside 55.55.55.57 255.255.255.248 192.168.74.1 1

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

route inside 192.168.6.0 255.255.255.0 192.168.20.2 1

route inside 192.168.5.0 255.255.255.0 192.168.20.2 1

route inside 192.168.4.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.2.0 255.255.255.0 192.168.20.2 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00


timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout uauth 0:05:00 absolute


username Junaid password kxxxxxxxxxxxFs0 encrypted privilege 15


http server enable


http 192.168.90.0 255.255.255.0 management


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


telnet 192.168.20.0 255.255.255.0 inside


telnet timeout 5


ssh timeout 5


console timeout 0


dhcpd lease 3600


dhcpd ping_timeout 50


class-map inspection_default


match default-inspection-traffic


!


policy-map global_policy


class inspection_default


inspect dns maximum-length 512


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect sqlnet


inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


inspect icmp


inspect esmtp


service-policy global_policy global


Cryptochecksum:78xxxxxxxxxxxxxxxxxxcbd55f


: end


junshah22 Thu, 06/11/2009 - 20:12
User Badges:

Dear Farrukh,


Please review above 2 posts, one containing router configuration and the second one contains ASA Config,


In this scenario, Remote VPN Client connects successfully but unable to use resources in the network,


At the same time, Remote Client's Internet service RUNS,,,


Please advise me,, what acl should i place and at which direction..


Regards,


Junaid

Farrukh Haroon Fri, 06/12/2009 - 21:53
User Badges:
  • Red, 2250 points or more


Change access-list 160 FROM:


access-list 160 permit ip any any

access-list 160 permit tcp any any


TO:



access-list 160 deny ip 192.168.74.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 160 permit ip any any

access-list 160 permit tcp any any



Also I would advise to remove this FROM the ASA as it is not required:


no static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255


Regards


Farrukh

junshah22 Sat, 06/13/2009 - 04:19
User Badges:

Dear Farrukh,


In the crypto isakmp client configuration group vpnclient


I used acl 150,, which is not available in the configuration right now,,


Should I replace that ACL from 150 to 160,,


and the ACL 160 will be using for crypto and overload??


Please advise


Regards,


Junaid

Farrukh Haroon Sat, 06/13/2009 - 04:51
User Badges:
  • Red, 2250 points or more

No that is an alternate method to control this, but in the solution I proposed, you don't need to change anything in ACL 150.


Just change the ACL I mentioned and test (160). Alternatively you can use ACL 150 to control the split tunelling.


Regards


Farrukh

Actions

This Discussion