Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest VLAN single Internet Connection via DHCP not routing

I have a 1921 Router connected to a DSL Internet router using DHCP

We have this setup with a Dynamic VPN to a Cisco ASA for a small remote office.

This is working well and no issue here

We want to setup a Guest_LAN on the same Router, and have that traffic goto through the same internet pipe.

DHCP is working and the separate vlan is working just we are unable to access the Internet

 

ip dhcp excluded-address 172.16.54.250 172.16.54.254
!
ip dhcp pool Guest
 network 172.16.54.0 255.255.255.0
 default-router 172.16.54.254
 dns-server 8.8.8.8 8.8.4.4
 domain-name nufarmguest.com
!
!

interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description ISP_Connection
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
 crypto map NAFTA_VPN
!
interface GigabitEthernet0/1/0
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/1
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/2
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/3
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/4
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/5
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/6
 switchport access vlan 54
 no ip address
!
interface GigabitEthernet0/1/7
 switchport access vlan 999
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan54
 ip address 10.1.54.254 255.255.255.0
 ip helper-address 10.1.122.58
 ip helper-address 10.1.122.79
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan999
 ip address 172.16.54.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map GUEST_MATCH interface GigabitEthernet0/1 overload
ip nat inside source route-map VPN_MATCH interface GigabitEthernet0/1 overload
!
ip access-list extended GUEST_MATCH
 permit ip 172.16.54.0 0.0.0.255 any
ip access-list extended NAT_OVERLOAD
 permit ip any any
ip access-list extended VPN_MATCH
 permit ip 10.1.54.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended VPN_NONAT
 deny   ip 10.1.54.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip any any
!

route-map NONAT permit 10
 match ip address VPN_NONAT
!

 

1 REPLY
New Member

Try adding the Guest subnet

Try adding the Guest subnet to the VPN_NONAT ACL.

149
Views
0
Helpful
1
Replies