Solved: Can't Browse Web when connected to VPN

brianjfrank · ‎11-20-2014

Hi,

I got interested in networks about a year ago. We had some spare networking kit lying around in our office and I decided to set up a lab.

I've been able to configure NAT w/ PAT on a cisco 3825.

I've got 1 access list, "Overloading" my OUTSIDE int, and a few "ip nat inside source static..." entries to handle my port forwards.

It's a very basic setup.

The router died recently, so I got a cheap replacement form ebay. Setting it all up was WAY easier than last time, so I decided to try something new.... VPN.

I'd previously had a port forward to a computer that was a VPN server, but I was able to use Cisco CCP to help me configure VPN. Yes, technically cheating for all you CLI-heads out there, so sorry-- to make you happy, I did thoroughly inspect and spent extra time appreciating the code it wanted to inject to my router.

Now, I've got VPN working, and I can access all the PC's on the LAN I'm VPN'ing to, but -- I can't access the web when connected to VPN.

I've fiddled with the access list, trying to make it ANY/ANY.

I'm not really sure what to do.

I looked around and most of the stuff out there is for a site-to-site, or PAT running on a tunnel...

My issue is pretty basic, probably. I just cant access outside when on VPN.

I'm more than willing to have another translation method.

I've attached my router config.

Can you have a look and let me know what would need changing...

Really appreciate any insight.

Thanks,

Brian

David Johan Castro Fernandez · ‎11-20-2014

Hello Brian,

Basically this is the VPN group:

crypto isakmp client configuration group open

key (something)

dns 192.168.1.1 8.8.8.8

domain something.com

pool SDM_POOL_1

save-password

backup-gateway 192.168.1.1

max-users 5

netmask 255.255.255.0

banner ^Cyou have connected to the vpn-ings!. well done! ^

I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:

ip access-list extended SPLIT_TUNNEL

permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255

XXXXX --> are the inside subnets

Then under this:

crypto isakmp client configuration group open

acl SPLIT_TUNNEL

This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.

For further details take a look to this document:

- http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

Don't use Any on your ACL statements for split tunneling purposes.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

View solution in original post

David Johan Castro Fernandez · ‎11-20-2014

Hello Brian,

Basically this is the VPN group:

crypto isakmp client configuration group open

key (something)

dns 192.168.1.1 8.8.8.8

domain something.com

pool SDM_POOL_1

save-password

backup-gateway 192.168.1.1

max-users 5

netmask 255.255.255.0

banner ^Cyou have connected to the vpn-ings!. well done! ^

I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:

ip access-list extended SPLIT_TUNNEL

permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255

XXXXX --> are the inside subnets

Then under this:

crypto isakmp client configuration group open

acl SPLIT_TUNNEL

This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.

For further details take a look to this document:

- http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

Don't use Any on your ACL statements for split tunneling purposes.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

brianjfrank · ‎11-20-2014

Thanks for the quick reply, David.

I tried adding this:

ip access-list extended SPLIT_TUNNEL

permit ip 192.168.1.0 255.255.255.0 192.168.1.0 0.0.0.255

And the crypto group, added (acl SPLIT_TUNNEL)

My VPN Client says it can't negotiate with the host.

I'm not sure if I understand the subnets I should be adding in red.

My VPN IP Pool is on the same subnet 192.168.1.0 (range is 192.168.25-192.168.1.30)

Do I need to have a 10.10.2.0 range for VPN?

Thanks,

Brian

brianjfrank · ‎11-20-2014

After having another crack at this, yes -- I needed to make my VPN on another subnet.

With the different pool, and SPLIT_TUNNEL acl, and the ACL mentioned in the VPN group, I'm in business.

Now all I need to do is figure out how to make the 10.0.0.0 and 192.168.1.0 networks talk to one another. I think this is called a static route, but -- more work tomorrow.

Very fun, this networking is!

Thanks again David!

Brian

David Johan Castro Fernandez · ‎11-20-2014

Hello Brian,

Exactly on this case you will need to have the IP local pool on another range, also you can add a static route:

ip route 10.0.0.0 255.255.255.0 XXXXX

XXXX --> next hop IP address (outside)

Also make sure the NAT, because the NAT you have in place won't let the 192.168.1.0 to communicate with 10.0.0.0 /24, you will be able to do it like this:

1. Create an extended ACL:

access-list 130 deny ip 192.168.1.0 0.0.0.255 10.00.0.0 0.0.0.255 ****** from inside to remote or ip-pool

access-list 130 permit ip 192.168.1.0 0.0.0.255 any ****** from inside to Internet

Then route map so you can have it within the NAT:

route-map nonat-Pat 10
match ip address 130

NAT statement:

ip nat inside source route-map nonat-Pat interface FastEthernet0/1 overload

2. Then remove the PAT you have:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

Let me know how it works out!,

Please don't forget to rate and mark as correct this Post, if this helped you!

David Castro,

Regards,

brianjfrank · ‎12-15-2014

Hey David,

Thanks for this.

I'm a bit stuck. I've tried adding:

ip route 10.0.0.0 255.255.255.0 XXXXX where XXXX is my external IP on my outside interface.

It's returned: "invalid next hop address (it's this router)"

I've tried entering my external static IP, no dice.

I also tried creating the route map, updating the nat statement and remving the PAT statement, but I can't seem to access two things:

1- Devices on 192.168.1.0 can't access the internet

2-Devices on VPN 10.0.0.0 CAN access the internet, but can't access other devices on 192.168.1.0

I really appriciate the help thus far. It's cool, becuase It's not all on you, and you point me in the right direction to fiddle with this and get it working. I'm a bit stuck now, so I don't know where to go from here.

What I'd really like is to have:

192.168.1.0 access to the internet via NAT or NAT w/ PAT.

10.0.0.0 access to the internet, but also access to devices on 192.168.1.0.

Thanks alot all!

Brian

brianjfrank · ‎01-22-2015

Can anyone else help? I basically cant access 192.168.1.0 from 10.0.0.0