Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vpn works but not internet from the 1 site

Hi i have 3 876 and i want to make a tunnel so i can have a vpn to my networks.. when i connect the 2 of them tunnel works but i don't have Internet to my second network! here's my startup-config..

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxx

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

ip cef

!

!

ip name-server 195.170.0.2

vpdn enable

!

!

!

crypto pki trustpoint TP-self-signed-3526170264

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3526170264

revocation-check none

rsakeypair TP-self-signed-3526170264

!

!

crypto pki certificate chain TP-self-signed-3526170264

certificate self-signed 01 nvram:IOS-Self-Sig#3402.cer

username xxxxx privilege 15 password xxxxx

!

!

no crypto isakmp enable

!

!

!

interface Tunnel0

ip address 192.168.100.2 255.255.255.0

no ip redirects

no ip proxy-arp

tunnel source staticIP

tunnel destination staticIP

tunnel key xxxxxx

tunnel path-mtu-discovery

!

interface Tunnel1

ip address 192.168.200.2 255.255.255.0

no ip redirects

no ip proxy-arp

tunnel source staticIP

tunnel destination staticIP

tunnel key xxxxx

tunnel path-mtu-discovery

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.16.1.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxxx password xxxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.0.0 255.255.255.0 Tunnel0

ip route 172.16.2.0 255.255.255.0 Tunnel1

!

ip http server

ip http secure-server

ip nat pool internet staticIP staticIP netmask 255.255.255.0

ip nat inside source list 10 pool internet overload

!

access-list 10 permit 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

exec-timeout 120 0

password xxxxxx

logging synchronous

login

no modem enable

transport output all

stopbits 1

line aux 0

transport output all

line vty 0 4

access-class 23 in

exec-timeout 120 0

password xxxxxx

login local

transport preferred telnet

transport input telnet

transport output all

!

scheduler max-task-time 5000

end

I think my problem is somewhere at dynamic nat plz help!

3 REPLIES
Cisco Employee

Re: Vpn works but not internet from the 1 site

How about you change the ACL 10 to an extended ACL and apply it to the NATting statement.

access-l 100 per ip 172.16.1.0 0.0.0.255 any

ip nat inside source list 100 pool internet overload

Also you might want to add a deny entry for the remote GRE network you are trying to access.

Let say your remote GRE network is 172.16.0.0/24 then your ACL 100 should be like

access-l 100 deny ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-l 100 permit ip 172.16.1.0 0.0.0.255 any

Let me know if this works out

Thanks

Gilbert

New Member

Re: Vpn works but not internet from the 1 site

It Worked!! Thanks!

Cisco Employee

Re: Vpn works but not internet from the 1 site

Glad to know.

Rate the post, if it helped!

Cheers

Gilbert

95
Views
10
Helpful
3
Replies
CreatePlease login to create content