Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
3
Replies

Clients reach company network but internet connection drops

thomaslinder
Level 1
Level 1

‎07-25-2008 12:09 PM

Hi

I think I have some quite basic problem and I am just missing something stupid. Now I was wondering if you were able to help me.

I have a PATed network with one external IP address. Clients receive IP addresses and can access network ressources just fine. However, their internet connection drops.

I tried enabling split tunneling and it appears to work (the protected network shows up in the vpn client in statistics) and users are still able to access network resources. But still, no internet connection.

I have then checked with route print which is the default route. I found out, that it looks like the VPN client adds a default route to its network and therefore routes all traffic there.

I have removed that route in Windows and it appears the internet connection is restored, that would be ok like that.

Now I was wondering what I need to change in the router configuration so that this route won't get created at all - any ideas?

I posted my configuration below, some ip addresses and other not so important parts were blanked out.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

!

!

ip cef

!

!

ip name-server DNSSERVEREXTERNAL

ip name-server DNSSERVEREXTERNAL

!

!

crypto pki trustpoint TP-self-signed-3575738758

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3575738758

revocation-check none

rsakeypair TP-self-signed-3575738758

!

!

crypto pki certificate chain TP-self-signed-3575738758

certificate self-signed 01

...

quit

username ....

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group DefaultVpnUsers

key our.key

pool SDM_POOL_1

acl 100

split-dns our.domain

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

interface FastEthernet0

description $ETH-WAN$

ip address EXTERNAL_IP 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.20

ip route 0.0.0.0 0.0.0.0 EXTERNAL_IP

!

!

no ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.0.3 25 interface FastEthernet0 25

ip nat inside source static tcp 192.168.0.3 443 interface FastEthernet0 443

!

access-list 1 remark INSIDE_IF=Vlan10

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=2

access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.1

...

access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.2.20

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

Labels:
0 Helpful
3 Replies 3

thomaslinder
Level 1
Level 1

‎07-25-2008 12:15 PM

I forgot to say: the routes which are being created are

(Destination -> Mask -> Interface -> Metric)

0.0.0.0 -> 0.0.0.0 -> 192.68.2.2 -> 40

0.0.0.0 -> 0.0.0.0 -> 77.118.82.136 -> 41

Now if the route with the metric of 40 is deleted, everything works as expected. The 192.168.2.2 range is the one which is given out by the vpn server.

0 Helpful

dphills18
Level 1
Level 1
In response to thomaslinder

‎08-27-2008 06:25 PM

did you ever figure this out. i am having simular issues.

0 Helpful

singhsaju
Level 4
Level 4
In response to dphills18

‎08-28-2008 06:44 AM

Hello,

I think you will have to modify acl used for split tunneling.Do not use "any" in the split tunnel acls and then try . This could be creating the default route.See the example below.

Split Tunneling

In order to enable split tunneling for the VPN connections, make sure you configure an access control list (ACL) on the router.

In this example, the access-list 102 command is associated with the group for split-tunneling purposes, and

the tunnel is formed to the 10.38.X.X /16 and 10.2.x.x networks.

Traffic flows unencrypted to devices not in ACL 102 (for example, the Internet).

access-list 102 permit ip 10.38.0.0 0.0.255.255 10.1.1.0 0.0.0.255

access-list 102 permit ip 10.2.0.0 0.0.255.255 10.1.1.0 0.0.0.255

Apply the ACL on the group properties.

crypto isakmp client configuration group vpngroup

key cisco123

dns 10.2.1.10

wins 10.2.1.20

domain cisco.com

pool ippool

acl 102

ip local pool ippool 10.1.1.100 10.1.1.200

HTH

Saju

0 Helpful
Customers Also Viewed These Support Documents