VPN connects but internet surfing stops

Answered Question
Jun 8th, 2009

Dear All,

When I connect to my company network via cisco vpn client, it successfully connects and all the required applications Runs BUT

Internet traffic stops, resulting, No Browsing, etc etc,,,

Please advise, whether I need to check vpn client's configuration or do I need to add something in my cisco 2811 router,

Regards,

Junaid

I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 7 months ago

There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.

EasyVPN w/ Split Tunneling Sample:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf8.pdf

VPN Client Public Internet On A Stick:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Todd Pula Mon, 06/08/2009 - 13:25

There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure split tunneling for the client group. Split tunneling is configured on the router and identifies what networks are to be protected via the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and then configure hairpin routing for Internet access. Below are sample configs of each.

EasyVPN w/ Split Tunneling Sample:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf8.pdf

VPN Client Public Internet On A Stick:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

junshah22 Mon, 06/08/2009 - 23:52

Hi,

you provided link of:

Router and VPN Client for Public Internet on a Stick Configuration Example

The author used some ip address which is not mentioned in the diagram,,, I found this kind of mistakes in so much examples,,

Can you please explain,,,

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

where is the 10.11.0.1 ???????

Farrukh Haroon Tue, 06/09/2009 - 01:45

Dear Junaid

In the hairpinning scenario the VPN client traffic arrives at the outside interface and exits using the same interface.

The Loopback is used because the Cisco Router's NAT feature requires (at least in old versions) to speciify the NAT inside and outside interfaces. So traffic from VPN clients is policy routed to the loopback interface (inside), which is then transted at the Internet interface (outside).

Regards

Farrukh

junshah22 Wed, 06/10/2009 - 00:51

Dear,

I am currently using first method,, XAUTH AND SPLIT TUNNELING

I successfully connect to my network and at the same time internet runs on the remote pc,,, but,, remote PC unable to use resources inside my network

I have applied Cisco ASA 5510 very next to my router,, Servers are connected to its DMZ interface,,

DO i need to add NAT..

IF I add

ip nat inside (at inside interface)

and

ip nat outside (at outside interface) of the router,, and make an acl

access-list 160 permit ip any any

access-list 160 permit tcp any any

ip nat inside source list 160 interface fastethernet 0/1 overload

By adding these commands, My remote PC starts connecting with my internal network,, but its Internet service stops...

Please HELP

Regards,

Junaid

Farrukh Haroon Wed, 06/10/2009 - 06:01

You need to change the ACL on the router, currently its going to Policy route/NAT all traffic from VPN clients out to the internet. Deny the Remote Site >> HQ subnets traffic from the ACL.

And of course you need to permit this in the ASA as well.

Regards

Farrukh

junshah22 Thu, 06/11/2009 - 20:04

Dear Farrukh,

I am sending you Router configuration in this post and ASA configuration in next post, Please review it and Advise,

ROUTER CONFIG

-------------

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

boot-start-marker

boot-end-marker

enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxChhf0

enable password xxxxxxx

aaa new-model

aaa authentication login userlist local

aaa authorization network vpnclient local

aaa session-id common

resource policy

memory-size iomem 15

clock timezone - 0 6

no ip source-route

ip cef

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

voice-card 0

no dspfarm

username Junaid privilege 15 secret 5 $1$xxxxxxxxxxxxxxxxxxtguY.

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local dynpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool dynpool

acl 150

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

crypto map dynmap client authentication list userlist

crypto map dynmap isakmp authorization list vpnclient

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/1

ip address 55.55.55.55 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map dynmap

ip local pool dynpool 192.168.74.150 192.168.74.254

ip route 0.0.0.0 0.0.0.0 55.55.55.57

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0 192.168.74.2

ip route 192.168.4.0 255.255.255.0 192.168.74.2

ip route 192.168.5.0 255.255.255.0 192.168.74.2

ip route 192.168.6.0 255.255.255.0 192.168.74.2

ip route 192.168.7.0 255.255.255.0 192.168.74.2

ip route 192.168.8.0 255.255.255.0 192.168.74.2

ip route 192.168.9.0 255.255.255.0 192.168.74.2

ip route 192.168.10.0 255.255.255.0 192.168.74.2

ip route 192.168.11.0 255.255.255.0 192.168.74.2

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet0/1 3389

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.16 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.16 110 interface FastEthernet0/1 110

ip nat inside source list 160 interface FastEthernet0/1 overload

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit tcp any any eq ftp

permit tcp any any eq smtp

permit tcp any any eq pop3

permit ip host 192.168.2.81 any

permit ip host 192.168.10.7 any

permit ip host 192.168.4.82 any

permit ip host 192.168.4.83 any

permit ip any host 66.241.216.167

permit ip host 192.168.11.11 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.35.0 0.0.0.255 any

access-list 150 permit ip any any

access-list 150 permit tcp any any

access-list 160 permit ip any any

access-list 160 permit tcp any any

snmp-server community public RO

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps cpu threshold

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

no cdp run

control-plane

line con 0

password sunroof

line aux 0

line vty 0 4

password Pajero

scheduler allocate 20000 1000

end

junshah22 Thu, 06/11/2009 - 20:10

Here is ASA Configuration

-------------------------

ASA Version 7.0(7)

hostname MTL-ASA

domain-name millat.com.pk

enable password lRxxxxxxxxxxxNh encrypted

names

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.74.2 255.255.255.0

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.1.18 255.255.255.0

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.90.1 255.255.255.0

management-only

passwd lRxxxxxxxxxxxxNh encrypted

ftp mode passive

access-list outside_to_DMZ extended permit ip 192.168.74.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_to_DMZ extended permit tcp any any eq 3389

access-list outside_to_DMZ extended permit ip any any

access-list outside_to_DMZ extended permit tcp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

mtu management 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255

access-group outside_to_DMZ in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.74.1 1

route outside 55.55.55.57 255.255.255.248 192.168.74.1 1

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

route inside 192.168.6.0 255.255.255.0 192.168.20.2 1

route inside 192.168.5.0 255.255.255.0 192.168.20.2 1

route inside 192.168.4.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.2.0 255.255.255.0 192.168.20.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username Junaid password kxxxxxxxxxxxFs0 encrypted privilege 15

http server enable

http 192.168.90.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.20.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect esmtp

service-policy global_policy global

Cryptochecksum:78xxxxxxxxxxxxxxxxxxcbd55f

: end

junshah22 Thu, 06/11/2009 - 20:12

Dear Farrukh,

Please review above 2 posts, one containing router configuration and the second one contains ASA Config,

In this scenario, Remote VPN Client connects successfully but unable to use resources in the network,

At the same time, Remote Client's Internet service RUNS,,,

Please advise me,, what acl should i place and at which direction..

Regards,

Junaid

Farrukh Haroon Fri, 06/12/2009 - 21:53

Change access-list 160 FROM:

access-list 160 permit ip any any

access-list 160 permit tcp any any

TO:

access-list 160 deny ip 192.168.74.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 160 permit ip any any

access-list 160 permit tcp any any

Also I would advise to remove this FROM the ASA as it is not required:

no static (DMZ,outside) 192.168.74.0 192.168.1.0 netmask 255.255.255.255

Regards

Farrukh

junshah22 Sat, 06/13/2009 - 04:19

Dear Farrukh,

In the crypto isakmp client configuration group vpnclient

I used acl 150,, which is not available in the configuration right now,,

Should I replace that ACL from 150 to 160,,

and the ACL 160 will be using for crypto and overload??

Please advise

Regards,

Junaid

Farrukh Haroon Sat, 06/13/2009 - 04:51

No that is an alternate method to control this, but in the solution I proposed, you don't need to change anything in ACL 150.

Just change the ACL I mentioned and test (160). Alternatively you can use ACL 150 to control the split tunelling.

Regards

Farrukh

Actions

This Discussion