Solved

VPN client dhcp pool wrong default gateway

Posted on 2008-10-16
3
875 Views
Last Modified: 2008-10-18
Hi I have just created a vpn client on my cisco 837, I can access all sources on the network when connected but I cannot connect to the internet because it giving me the wrong default gateway.Can someonet take a look?
Building configuration...
 

Current configuration : 12522 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rtr01

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$2F1v$Eesr6pxyG3x/Ab/7ZTaZL.

enable password password

!

username admin privilege 15 secret 5 $1$ivhN$GwEn3ynthZ.rUolNVltXR1

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local 

aaa authorization network sdm_vpn_group_ml_1 local 

aaa session-id common

ip subnet-zero

ip dhcp excluded-address 10.13.1.1 10.13.1.49

ip dhcp excluded-address 10.13.1.101 10.13.1.254

!

ip dhcp pool default

   import all

   network 10.13.1.0 255.255.255.0

   dns-server 10.13.1.10 

   default-router 10.13.1.1 

   domain-name mycompany.local

!

!

ip name-server 10.13.1.10

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 icmp

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key password address 90.x.x.x no-xauth

crypto isakmp xauth timeout 15
 

!

crypto isakmp client configuration group RAS-VPN

 key password

 dns 10.13.1.10

 domain mycompany.local

 pool SDM_POOL_1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 

!

crypto dynamic-map SDM_DYNMAP_1 1

 set transform-set ESP-3DES-SHA1 

 reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description Tunnel to90.x.x.x

 set peer 90.x.x.x

 set transform-set ESP-3DES-SHA 

 match address 102

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 

!

!

!

!

interface Ethernet0

 description $FW_INSIDE$

 ip address 10.13.1.1 255.255.255.0

 ip access-group 100 in

 ip nat inside

 hold-queue 100 out

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet2

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet3

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address 62.x.x.x 255.255.255.252

 ip access-group 101 in

 ip nat outside

 ip inspect sdm_ins_in_100 in

 ip inspect SDM_LOW out

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname username for isp

 ppp chap password 0 password for isp

 ppp pap sent-username username for isp password 0 password for isp

 crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.1.100 192.168.1.150

ip nat inside source static tcp 10.13.1.10 444 interface Dialer0 444

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 10.13.1.10 25 interface Dialer0 25

ip nat inside source static tcp 10.13.1.10 80 interface Dialer0 80

ip nat inside source static tcp 10.13.1.10 443 interface Dialer0 443

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http secure-server

!

!

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.13.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp host 10.13.1.10 eq domain any

access-list 100 deny   ip 62.24.236.60 0.0.0.3 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.1.100 any

access-list 101 permit ip host 192.168.1.101 any

access-list 101 permit ip host 192.168.1.102 any

access-list 101 permit ip host 192.168.1.103 any

access-list 101 permit ip host 192.168.1.104 any

access-list 101 permit ip host 192.168.1.105 any

access-list 101 permit ip host 192.168.1.106 any

access-list 101 permit ip host 192.168.1.107 any

access-list 101 permit ip host 192.168.1.108 any

access-list 101 permit ip host 192.168.1.109 any

access-list 101 permit ip host 192.168.1.110 any

access-list 101 permit ip host 192.168.1.111 any

access-list 101 permit ip host 192.168.1.112 any

access-list 101 permit ip host 192.168.1.113 any

access-list 101 permit ip host 192.168.1.114 any

access-list 101 permit ip host 192.168.1.115 any

access-list 101 permit ip host 192.168.1.116 any

access-list 101 permit ip host 192.168.1.117 any

access-list 101 permit ip host 192.168.1.118 any

access-list 101 permit ip host 192.168.1.119 any

access-list 101 permit ip host 192.168.1.120 any

access-list 101 permit ip host 192.168.1.121 any

access-list 101 permit ip host 192.168.1.122 any

access-list 101 permit ip host 192.168.1.123 any

access-list 101 permit ip host 192.168.1.124 any

access-list 101 permit ip host 192.168.1.125 any

access-list 101 permit ip host 192.168.1.126 any

access-list 101 permit ip host 192.168.1.127 any

access-list 101 permit ip host 192.168.1.128 any

access-list 101 permit ip host 192.168.1.129 any

access-list 101 permit ip host 192.168.1.130 any

access-list 101 permit ip host 192.168.1.131 any

access-list 101 permit ip host 192.168.1.132 any

access-list 101 permit ip host 192.168.1.133 any

access-list 101 permit ip host 192.168.1.134 any

access-list 101 permit ip host 192.168.1.135 any

access-list 101 permit ip host 192.168.1.136 any

access-list 101 permit ip host 192.168.1.137 any

access-list 101 permit ip host 192.168.1.138 any

access-list 101 permit ip host 192.168.1.139 any

access-list 101 permit ip host 192.168.1.140 any

access-list 101 permit ip host 192.168.1.141 any

access-list 101 permit ip host 192.168.1.142 any

access-list 101 permit ip host 192.168.1.143 any

access-list 101 permit ip host 192.168.1.144 any

access-list 101 permit ip host 192.168.1.145 any

access-list 101 permit ip host 192.168.1.146 any

access-list 101 permit ip host 192.168.1.147 any

access-list 101 permit ip host 192.168.1.148 any

access-list 101 permit ip host 192.168.1.149 any

access-list 101 permit ip host 192.168.1.150 any

access-list 101 permit udp any host 62.x.x.x eq non500-isakmp

access-list 101 permit udp any host 62.x.x.x eq isakmp

access-list 101 permit esp any host 62.x.x.x

access-list 101 permit ahp any host 62.x.x.x

access-list 101 permit udp host 62.24.128.18 eq domain any

access-list 101 permit udp host 62.24.128.17 eq domain any

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.13.1.0 0.0.0.255

access-list 101 permit udp host 90.x.x.x host 62.x.x.x eq non500-isakmp

access-list 101 permit udp host 90.x.x.x host 62.x.x.x eq isakmp

access-list 101 permit esp host 90.x.x.x host 62.x.x.x

access-list 101 permit ahp host 90.x.x.x host 62.x.x.x

access-list 101 permit tcp any host 62.x.x.x eq www

access-list 101 permit tcp any host 62.x.x.x eq smtp

access-list 101 permit tcp any host 62.x.x.x eq 443

access-list 101 permit tcp any host 62.x.x.x eq 444

access-list 101 permit udp host 62.24.128.18 eq domain host 62.x.x.x

access-list 101 permit udp host 62.24.128.17 eq domain host 62.x.x.x

access-list 101 permit icmp any host 62.x.x.x

access-list 101 permit icmp any host 62.x.x.x echo-reply

access-list 101 permit tcp any eq smtp host 62.x.x.x eq smtp

access-list 101 permit icmp any host 62.x.x.x time-exceeded

access-list 101 deny   ip 10.13.1.0 0.0.0.255 any

access-list 101 permit icmp any host 62.x.x.x unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 remark SDM_ACL Category=2

access-list 103 deny   ip any host 192.168.1.100

access-list 103 deny   ip any host 192.168.1.101

access-list 103 deny   ip any host 192.168.1.102

access-list 103 deny   ip any host 192.168.1.103

access-list 103 deny   ip any host 192.168.1.104

access-list 103 deny   ip any host 192.168.1.105

access-list 103 deny   ip any host 192.168.1.106

access-list 103 deny   ip any host 192.168.1.107

access-list 103 deny   ip any host 192.168.1.108

access-list 103 deny   ip any host 192.168.1.109

access-list 103 deny   ip any host 192.168.1.110

access-list 103 deny   ip any host 192.168.1.111

access-list 103 deny   ip any host 192.168.1.112

access-list 103 deny   ip any host 192.168.1.113

access-list 103 deny   ip any host 192.168.1.114

access-list 103 deny   ip any host 192.168.1.115

access-list 103 deny   ip any host 192.168.1.116

access-list 103 deny   ip any host 192.168.1.117

access-list 103 deny   ip any host 192.168.1.118

access-list 103 deny   ip any host 192.168.1.119

access-list 103 deny   ip any host 192.168.1.120

access-list 103 deny   ip any host 192.168.1.121

access-list 103 deny   ip any host 192.168.1.122

access-list 103 deny   ip any host 192.168.1.123

access-list 103 deny   ip any host 192.168.1.124

access-list 103 deny   ip any host 192.168.1.125

access-list 103 deny   ip any host 192.168.1.126

access-list 103 deny   ip any host 192.168.1.127

access-list 103 deny   ip any host 192.168.1.128

access-list 103 deny   ip any host 192.168.1.129

access-list 103 deny   ip any host 192.168.1.130

access-list 103 deny   ip any host 192.168.1.131

access-list 103 deny   ip any host 192.168.1.132

access-list 103 deny   ip any host 192.168.1.133

access-list 103 deny   ip any host 192.168.1.134

access-list 103 deny   ip any host 192.168.1.135

access-list 103 deny   ip any host 192.168.1.136

access-list 103 deny   ip any host 192.168.1.137

access-list 103 deny   ip any host 192.168.1.138

access-list 103 deny   ip any host 192.168.1.139

access-list 103 deny   ip any host 192.168.1.140

access-list 103 deny   ip any host 192.168.1.141

access-list 103 deny   ip any host 192.168.1.142

access-list 103 deny   ip any host 192.168.1.143

access-list 103 deny   ip any host 192.168.1.144

access-list 103 deny   ip any host 192.168.1.145

access-list 103 deny   ip any host 192.168.1.146

access-list 103 deny   ip any host 192.168.1.147

access-list 103 deny   ip any host 192.168.1.148

access-list 103 deny   ip any host 192.168.1.149

access-list 103 deny   ip any host 192.168.1.150

access-list 103 remark IPSec Rule

access-list 103 deny   ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 permit ip 10.13.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map SDM_RMAP_1 permit 1

 match ip address 103

!

!

control-plane

!

!

line con 0

 no modem enable

 transport preferred all

 transport output all

line aux 0

 transport preferred all

 transport output all

line vty 0 4

 exec-timeout 120 0

 password Segatae99

 length 0

 transport preferred all

 transport input all

 transport output all

!

scheduler max-task-time 5000

!

end

Open in new window

0
Comment
Question by:Dan560
3 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 22741816
Your configuration looks good.
Your VPN client is picking up a default gateway? Do a "ROUTE PRINT" from the command line on your vpn client before and after you connect and see what networks go where.
It could also be a DNS thing so do a nslookup www.google.com to see if it gets resolved.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 22750041
The simplest way to fix this is to use split tunneling. In this configuration, internet traffic will bypass the VPN and only traffic destined for your local network will go accross the VPN

ip access-list extended acl_split
permit ip 10.13.1.0 0.0.0.255 any

crypto isakmp client configuration group RAS-VPN
acl acl_split

0
 
LVL 2

Author Comment

by:Dan560
ID: 22750097
thanks worked a treat.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now