I am configuring site-to-site vpn with cisco routers, both ends have Live IPs,
I am following up the following document for creating the vpn, In this case VPN tunnel works fine, but the internet service stops on both ends,
I have private network inside the router and vlans are configured, Vlans must be natted to get access of internet service,
when I remove the statements, ip nat inside and ip nat outside from the inside and outside interfaces,, my tunnel goes UP and works fine,, but as soon I add the NAT commands to the respective interfaces, the tunnel goes down but internet service starts,,,
The author havn't mentioned any NAT statement,,
1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.
Router(config)#crypto isakmp policy 9
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX
VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.
XXX.XXX.XXX.XXX the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.
4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
AAA is the access-list number
SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.
DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though the VPN link.
5. Define the transformations set that will be used for this VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
SETNAME is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of âesp-3des esp-md5-hmacâ. You can also use âesp-3des esp-sha-hmacâ. Any one of these two will do the job.
6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address AAA
MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.
XXX.XXX.XXX.XXX the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 5
AAA is the number of the access-list that we created to define the traffic in step 4
7. The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 6.
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
Junaid, Hi,it's me again!!! How have you been?
"VPN Client connects and can use server resources successfully but its own (vpn client's) Internet service stops"
Time to use "Split-tunnelling" for remote access vpn clients.
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
crypto isakmp client configuration group vpnclient
Edit: Yes, There is an implicit deny there. However I always configure ACLs to deny/permit the exact traffic for VPN. One thing is to correctly see the hits of traffic flows when using a "show access-list XXX" command. Am I right? (grin)
HTH, What about the rating system? J/K