Solved

VPN client dhcp pool wrong default gateway

Posted on 2008-10-16
3
891 Views
Last Modified: 2008-10-18
Hi I have just created a vpn client on my cisco 837, I can access all sources on the network when connected but I cannot connect to the internet because it giving me the wrong default gateway.Can someonet take a look?
Building configuration...
 
Current configuration : 12522 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rtr01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$2F1v$Eesr6pxyG3x/Ab/7ZTaZL.
enable password password
!
username admin privilege 15 secret 5 $1$ivhN$GwEn3ynthZ.rUolNVltXR1
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 10.13.1.1 10.13.1.49
ip dhcp excluded-address 10.13.1.101 10.13.1.254
!
ip dhcp pool default
   import all
   network 10.13.1.0 255.255.255.0
   dns-server 10.13.1.10 
   default-router 10.13.1.1 
   domain-name mycompany.local
!
!
ip name-server 10.13.1.10
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 90.x.x.x no-xauth
crypto isakmp xauth timeout 15
 
!
crypto isakmp client configuration group RAS-VPN
 key password
 dns 10.13.1.10
 domain mycompany.local
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to90.x.x.x
 set peer 90.x.x.x
 set transform-set ESP-3DES-SHA 
 match address 102
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.13.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 62.x.x.x 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect SDM_LOW out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname username for isp
 ppp chap password 0 password for isp
 ppp pap sent-username username for isp password 0 password for isp
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.100 192.168.1.150
ip nat inside source static tcp 10.13.1.10 444 interface Dialer0 444
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.13.1.10 25 interface Dialer0 25
ip nat inside source static tcp 10.13.1.10 80 interface Dialer0 80
ip nat inside source static tcp 10.13.1.10 443 interface Dialer0 443
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.13.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.13.1.10 eq domain any
access-list 100 deny   ip 62.24.236.60 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.1.100 any
access-list 101 permit ip host 192.168.1.101 any
access-list 101 permit ip host 192.168.1.102 any
access-list 101 permit ip host 192.168.1.103 any
access-list 101 permit ip host 192.168.1.104 any
access-list 101 permit ip host 192.168.1.105 any
access-list 101 permit ip host 192.168.1.106 any
access-list 101 permit ip host 192.168.1.107 any
access-list 101 permit ip host 192.168.1.108 any
access-list 101 permit ip host 192.168.1.109 any
access-list 101 permit ip host 192.168.1.110 any
access-list 101 permit ip host 192.168.1.111 any
access-list 101 permit ip host 192.168.1.112 any
access-list 101 permit ip host 192.168.1.113 any
access-list 101 permit ip host 192.168.1.114 any
access-list 101 permit ip host 192.168.1.115 any
access-list 101 permit ip host 192.168.1.116 any
access-list 101 permit ip host 192.168.1.117 any
access-list 101 permit ip host 192.168.1.118 any
access-list 101 permit ip host 192.168.1.119 any
access-list 101 permit ip host 192.168.1.120 any
access-list 101 permit ip host 192.168.1.121 any
access-list 101 permit ip host 192.168.1.122 any
access-list 101 permit ip host 192.168.1.123 any
access-list 101 permit ip host 192.168.1.124 any
access-list 101 permit ip host 192.168.1.125 any
access-list 101 permit ip host 192.168.1.126 any
access-list 101 permit ip host 192.168.1.127 any
access-list 101 permit ip host 192.168.1.128 any
access-list 101 permit ip host 192.168.1.129 any
access-list 101 permit ip host 192.168.1.130 any
access-list 101 permit ip host 192.168.1.131 any
access-list 101 permit ip host 192.168.1.132 any
access-list 101 permit ip host 192.168.1.133 any
access-list 101 permit ip host 192.168.1.134 any
access-list 101 permit ip host 192.168.1.135 any
access-list 101 permit ip host 192.168.1.136 any
access-list 101 permit ip host 192.168.1.137 any
access-list 101 permit ip host 192.168.1.138 any
access-list 101 permit ip host 192.168.1.139 any
access-list 101 permit ip host 192.168.1.140 any
access-list 101 permit ip host 192.168.1.141 any
access-list 101 permit ip host 192.168.1.142 any
access-list 101 permit ip host 192.168.1.143 any
access-list 101 permit ip host 192.168.1.144 any
access-list 101 permit ip host 192.168.1.145 any
access-list 101 permit ip host 192.168.1.146 any
access-list 101 permit ip host 192.168.1.147 any
access-list 101 permit ip host 192.168.1.148 any
access-list 101 permit ip host 192.168.1.149 any
access-list 101 permit ip host 192.168.1.150 any
access-list 101 permit udp any host 62.x.x.x eq non500-isakmp
access-list 101 permit udp any host 62.x.x.x eq isakmp
access-list 101 permit esp any host 62.x.x.x
access-list 101 permit ahp any host 62.x.x.x
access-list 101 permit udp host 62.24.128.18 eq domain any
access-list 101 permit udp host 62.24.128.17 eq domain any
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.13.1.0 0.0.0.255
access-list 101 permit udp host 90.x.x.x host 62.x.x.x eq non500-isakmp
access-list 101 permit udp host 90.x.x.x host 62.x.x.x eq isakmp
access-list 101 permit esp host 90.x.x.x host 62.x.x.x
access-list 101 permit ahp host 90.x.x.x host 62.x.x.x
access-list 101 permit tcp any host 62.x.x.x eq www
access-list 101 permit tcp any host 62.x.x.x eq smtp
access-list 101 permit tcp any host 62.x.x.x eq 443
access-list 101 permit tcp any host 62.x.x.x eq 444
access-list 101 permit udp host 62.24.128.18 eq domain host 62.x.x.x
access-list 101 permit udp host 62.24.128.17 eq domain host 62.x.x.x
access-list 101 permit icmp any host 62.x.x.x
access-list 101 permit icmp any host 62.x.x.x echo-reply
access-list 101 permit tcp any eq smtp host 62.x.x.x eq smtp
access-list 101 permit icmp any host 62.x.x.x time-exceeded
access-list 101 deny   ip 10.13.1.0 0.0.0.255 any
access-list 101 permit icmp any host 62.x.x.x unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip any host 192.168.1.100
access-list 103 deny   ip any host 192.168.1.101
access-list 103 deny   ip any host 192.168.1.102
access-list 103 deny   ip any host 192.168.1.103
access-list 103 deny   ip any host 192.168.1.104
access-list 103 deny   ip any host 192.168.1.105
access-list 103 deny   ip any host 192.168.1.106
access-list 103 deny   ip any host 192.168.1.107
access-list 103 deny   ip any host 192.168.1.108
access-list 103 deny   ip any host 192.168.1.109
access-list 103 deny   ip any host 192.168.1.110
access-list 103 deny   ip any host 192.168.1.111
access-list 103 deny   ip any host 192.168.1.112
access-list 103 deny   ip any host 192.168.1.113
access-list 103 deny   ip any host 192.168.1.114
access-list 103 deny   ip any host 192.168.1.115
access-list 103 deny   ip any host 192.168.1.116
access-list 103 deny   ip any host 192.168.1.117
access-list 103 deny   ip any host 192.168.1.118
access-list 103 deny   ip any host 192.168.1.119
access-list 103 deny   ip any host 192.168.1.120
access-list 103 deny   ip any host 192.168.1.121
access-list 103 deny   ip any host 192.168.1.122
access-list 103 deny   ip any host 192.168.1.123
access-list 103 deny   ip any host 192.168.1.124
access-list 103 deny   ip any host 192.168.1.125
access-list 103 deny   ip any host 192.168.1.126
access-list 103 deny   ip any host 192.168.1.127
access-list 103 deny   ip any host 192.168.1.128
access-list 103 deny   ip any host 192.168.1.129
access-list 103 deny   ip any host 192.168.1.130
access-list 103 deny   ip any host 192.168.1.131
access-list 103 deny   ip any host 192.168.1.132
access-list 103 deny   ip any host 192.168.1.133
access-list 103 deny   ip any host 192.168.1.134
access-list 103 deny   ip any host 192.168.1.135
access-list 103 deny   ip any host 192.168.1.136
access-list 103 deny   ip any host 192.168.1.137
access-list 103 deny   ip any host 192.168.1.138
access-list 103 deny   ip any host 192.168.1.139
access-list 103 deny   ip any host 192.168.1.140
access-list 103 deny   ip any host 192.168.1.141
access-list 103 deny   ip any host 192.168.1.142
access-list 103 deny   ip any host 192.168.1.143
access-list 103 deny   ip any host 192.168.1.144
access-list 103 deny   ip any host 192.168.1.145
access-list 103 deny   ip any host 192.168.1.146
access-list 103 deny   ip any host 192.168.1.147
access-list 103 deny   ip any host 192.168.1.148
access-list 103 deny   ip any host 192.168.1.149
access-list 103 deny   ip any host 192.168.1.150
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.13.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 120 0
 password Segatae99
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

Open in new window

0
Comment
Question by:Dan560
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 22741816
Your configuration looks good.
Your VPN client is picking up a default gateway? Do a "ROUTE PRINT" from the command line on your vpn client before and after you connect and see what networks go where.
It could also be a DNS thing so do a nslookup www.google.com to see if it gets resolved.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 22750041
The simplest way to fix this is to use split tunneling. In this configuration, internet traffic will bypass the VPN and only traffic destined for your local network will go accross the VPN

ip access-list extended acl_split
permit ip 10.13.1.0 0.0.0.255 any

crypto isakmp client configuration group RAS-VPN
acl acl_split

0
 
LVL 2

Author Comment

by:Dan560
ID: 22750097
thanks worked a treat.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question