Connect to Internet fails when VPN is up

Answered Question
May 16th, 2010

Hi ,

Can someone please help me to identify the causes of this. I successfully configured VPN tunnel, but I am not able to browse internet from LAN. I am using cisco 877 router. ACL 105 controls the VPN traffic. But as per theory other traffic should pass through default gateway but it is not happening. Can you please help me in fix this problem.

Building configuration...

Current configuration : 2344 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ringwood
!
boot-start-marker
boot-end-marker

!
no aaa new-model
clock timezone AEST 10
clock summer-time AEDST recurring last Sun Oct 2:00 last Sun Mar 2:00
!
!
dot11 syslog
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.25.1 192.168.25.50
!
ip dhcp pool RINGWOOD
   network 192.168.25.0 255.255.255.0
   update dns
   dns-server 192.168.0.10 139.130.4.4
   default-router 192.168.25.1
   lease 7
   update arp
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key D19*b&5901-)@ address 0.0.0.0
!
!
crypto ipsec transform-set ENDLESS esp-aes 256 esp-md5-hmac
!
crypto map Ringwood_Lynbrook 1 ipsec-isakmp

set peer 0.0.0.0
set transform-set ENDLESS
match address 105
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.25.1 255.255.255.0
ip helper-address 192.168.25.1
ip nat inside
ip inspect firewall in
ip virtual-reassembly
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname theend10@
ppp chap password 0 2133
crypto map Ringwood_Lynbrook
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip dns server
!
logging source-interface Vlan1
access-list 105 permit ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password g00se
login
!
scheduler max-task-time 5000
ntp server 128.250.36.2
end

Thanks,

Siva.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

You should not be having a problem with that.

When you added the commands and try to access the Internet from 192.168.25.0/24 where the traffic goes?

Check ''sh ip nat trans'' to check if there's a translation built for your machine and do a traceroute to see how far the traffic goes.

The new configuration should not cause problems, if still having problems please post it again.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Sun, 05/16/2010 - 07:08

Hi,

Are you trying to configure a Site-to-Site or a Remote Access VPN?
The configuration seems a Site-to-Site but you have defined as a peer 0.0.0.0
This is not the correct configuration.

To configure Remote Access, you use a dynamic crypto map:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

Then, you configure split-tunneling to only encrypt the desired traffic.

Federico.

sivakumar_ks Sun, 05/16/2010 - 14:25

For the forum I have changed to ip address to 0.0.0.0 , actual configuration has valid IP address. why it is not allowing internet access.

Siva

Federico Coto F... Sun, 05/16/2010 - 15:01

Ok,

If the peer is an actual valid address, what you have is a Site-to-Site tunnel between two locations correct?

Where is the Internet lost, on this side of the router?

The only traffic that is encrypted and sent through the tunnel is between 192.168.25.0/24 and 192.168.0.0/24, so if you want to go from 192.168.25.x to the Internet, that's not going to be sent through the tunnel.

Could you specify exactly what's happening when the VPN tunnel comes up?

You loose Internet from the 192.168.25.0/24 network, is that it?

Federico.

sivakumar_ks Sun, 05/16/2010 - 17:19

yes you are correct. easyvpn server doesn't fit to my requirement. For internet traffic client going to easyvpn server 877 router to route to internet. So I decided to use site to site vpn.

I tried nat inside dialer0 overload with specific access list , but that is drop vpn , so I removed. I want vpn to work and at the same time i need to use internet for the subnet 192.168.25.0/24.

siva

Federico Coto F... Sun, 05/16/2010 - 17:25

Siva,

Have you tried adding this commands?

access-list 101 deny ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.25.0 0.0.0.255 any

ip nat inside source list 101 interface Dialer 0 overload

The first line will bypass NAT for the VPN traffic and the second and third allow NAT for the Internet.

Federico.

sivakumar_ks Sun, 05/16/2010 - 17:47

No luck. I tried before too , it dropped vpn. Now I have added once again based your suggestion still having issue. These are the acl I am having other than my first posted configuration details.

ip nat inside source list 101 interface Dialer0 overload
!
logging source-interface Vlan1
access-list 101 deny   ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 105 permit ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255

Thanks,

Siva.

Correct Answer
Federico Coto F... Sun, 05/16/2010 - 18:31

You should not be having a problem with that.

When you added the commands and try to access the Internet from 192.168.25.0/24 where the traffic goes?

Check ''sh ip nat trans'' to check if there's a translation built for your machine and do a traceroute to see how far the traffic goes.

The new configuration should not cause problems, if still having problems please post it again.

Federico.

sivakumar_ks Mon, 05/17/2010 - 04:44

Yes that works when you connect site to site with cisco hardware. I was trying to achieve site to site with cisco 877 and netgear, for some reason netgear can't able to handle the traffic and drop it.

Thanks for your solution... and quick reply.

Siva.

Actions

This Discussion