EZVPN & NAT

jack samuel · ‎08-20-2013

Hi

i am facing issues in my network i have a 880 router with an image c880data-universalk9-mz.153-2.T1.bin.

As soon as my EZVPN connects to my HO internet disconnects from the branch. wheni remove a command from dialer 0

no crypto ipsec client ezvpn EZ internet works fine. below is the Natting and access-list used for by me.

corporate network---192.168.10.0

Branch network----172.16.10.0

int vlan1

ip ant inside

ip add 172.16.10.1

int dialer 0

ip ant outside

ip nat inside source route-map nonat interface Dialer0 overload

ip access-list extended 110

deny ip 172.16..10.0 0.0.0.255 192.168.10.0 0.0.0.255

permit 172.16.10.0 0.0.0.255 any

route-map nonat permit 10

match ip address 110

match interface Dialer0

Thanks

Karsten Iwen · ‎08-20-2013

You also have to configure Split-Tunneling for the VPN-Group your EzVPN-CLient uses to connect to the HQ (on the HQ-Router):

crypto isakmp client configuration group VPN-GROUP

acl SPLIT-ACL

!

ip access-list extended SPLIT-ACL

permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-20-2013

Thanks for the reply,

No they don't go on internet through HQ they go locally by their dailer 0 interface, As u can see i the ip access-list which deny HQ network to translate and the other shld be translate to go on the internet.

Karsten Iwen · ‎08-20-2013

Yes, but EzVPN by default tunnels the whole traffic. And that would blackhole your branch-internet-traffic. With Split-tunnel you instruct your branch-router that only the traffic from 172.16.10.0/24 to 192.168.10.0/24 has to be sent through the tunnel and the rest is allowed in clear to be sent to the internet.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-20-2013

i have done similar setup with another series router and it is working fine without any issues,

jack samuel · ‎08-20-2013

i did the config according to you but still the same

Karsten Iwen · ‎08-20-2013

How is your group configured on the HQ-router and what is the output of "sh crypto ipsec client ezvpn" on the branch-router?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-20-2013

Router#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : EZ

Inside interface list: Vlan1

Outside interface: Dialer0

Current State: IPSEC_ACTIVE

Last Event: SOCKET_UP

Save Password: Disallowed

Current EzVPN Peer: 1.1.1.1

crypto isakmp client configuration group cisco

key abc

acl 111

ip access-list extended 111

permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

jack samuel · ‎08-20-2013

Dears,

Anybody can help me to solve the issue

Karsten Iwen · ‎08-21-2013

Can you post the configs of both routers?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-21-2013

Dear ,

Attached is the file for the HQ and the branch configuration are same as mentioned above.

Karsten Iwen · ‎08-21-2013

it's the client-config that matters most.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-21-2013

Here is the attached for the client router

Karsten Iwen · ‎08-21-2013

at least the ACL 100 is not real! How much is changed to your actual config?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jack samuel · ‎08-21-2013

Dear

There are many things ,, to keep simple i did that.

Here are the attached, branch 119.127.12.0 and HQ 10.1.1.0,