08-20-2013 02:24 AM - edited 03-11-2019 07:27 PM
Hi
i am facing issues in my network i have a 880 router with an image c880data-universalk9-mz.153-2.T1.bin.
As soon as my EZVPN connects to my HO internet disconnects from the branch. wheni remove a command from dialer 0
no crypto ipsec client ezvpn EZ internet works fine. below is the Natting and access-list used for by me.
corporate network---192.168.10.0
Branch network----172.16.10.0
int vlan1
ip ant inside
ip add 172.16.10.1
int dialer 0
ip ant outside
ip nat inside source route-map nonat interface Dialer0 overload
ip access-list extended 110
deny ip 172.16..10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit 172.16.10.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
match interface Dialer0
Thanks
08-20-2013 02:31 AM
You also have to configure Split-Tunneling for the VPN-Group your EzVPN-CLient uses to connect to the HQ (on the HQ-Router):
crypto isakmp client configuration group VPN-GROUP
acl SPLIT-ACL
!
ip access-list extended SPLIT-ACL
permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2013 02:59 AM
Thanks for the reply,
No they don't go on internet through HQ they go locally by their dailer 0 interface, As u can see i the ip access-list which deny HQ network to translate and the other shld be translate to go on the internet.
08-20-2013 03:15 AM
Yes, but EzVPN by default tunnels the whole traffic. And that would blackhole your branch-internet-traffic. With Split-tunnel you instruct your branch-router that only the traffic from 172.16.10.0/24 to 192.168.10.0/24 has to be sent through the tunnel and the rest is allowed in clear to be sent to the internet.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2013 03:21 AM
i have done similar setup with another series router and it is working fine without any issues,
08-20-2013 03:28 AM
i did the config according to you but still the same
08-20-2013 03:40 AM
How is your group configured on the HQ-router and what is the output of "sh crypto ipsec client ezvpn" on the branch-router?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2013 11:38 AM
Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : EZ
Inside interface list: Vlan1
Outside interface: Dialer0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Save Password: Disallowed
Current EzVPN Peer: 1.1.1.1
crypto isakmp client configuration group cisco
key abc
acl 111
ip access-list extended 111
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
08-20-2013 12:41 PM
Dears,
Anybody can help me to solve the issue
08-21-2013 01:31 AM
Can you post the configs of both routers?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-21-2013 03:07 AM
08-21-2013 03:16 AM
it's the client-config that matters most.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-21-2013 03:39 AM
08-21-2013 03:45 AM
at least the ACL 100 is not real! How much is changed to your actual config?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-21-2013 03:56 AM
Dear
There are many things ,, to keep simple i did that.
Here are the attached, branch 119.127.12.0 and HQ 10.1.1.0,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: