[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

internet disconnects after succesful cisco vpn connection

Posted on 2010-01-05
8
Medium Priority
?
516 Views
Last Modified: 2012-05-08
Hi there,
ive a Cisco 1841 router at work that ive configured for cisco's remote access vpn. I followed the configuration on the link http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
and my client is able to connect to the vpn. however, i loose my internet connectivity as soon as the vpn is established. How can i ensure through config or some setting in VPN Client that I can have my internet access too. I know with microsoft vpn, we have to uncheck the default gateway option in LAN connection's advanced properties but i cant figure out what to do with the Cisco one ? I'm using the same client as the one shown in the link above !
Thanks for your help
0
Comment
Question by:nabeel92
  • 5
  • 2
8 Comments
 
LVL 5

Expert Comment

by:ping_it
ID: 26179431
You would like to use your current Internet connection (without passing via the tunnel) or the internet connection that there is in the vpn server? In other words the internet will be tunneled as well?
0
 

Author Comment

by:nabeel92
ID: 26179778
no i want the internet connection without passing via the tunnel, just the normal one as it is
0
 
LVL 5

Expert Comment

by:ping_it
ID: 26179869
please attach your configuration, I will take a look
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Expert Comment

by:bsohn417
ID: 26180213
u may need to add route to u r pc.
Please do tracert after connecting to u r VPN
0
 

Author Comment

by:nabeel92
ID: 26185647
Yes, as soon as the vpn connects, i loose the default gateway of my original internet connection and consequently loose the internet connection. Traceroute after connecting to vpn shows that everything is trying to go via the vpn, i.e. the internet traffic.
I've attached my cisco router configuration as well. This router is serving as DMVPN Hub for some sites as well as IPSEC peer with partners. I've followed the cisco article whose link i posted above for configuring the remote vpn !
Thanks !
VPN Router configuration
 
VPN-Hub#  sh running-config 
Building configuration... 
  
Current configuration : 13341 bytes 
! 
version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname VPN-Hub 
! 
boot-start-marker 
boot system flash c1841-advipservicesk9-mz.124-18.bin 
boot-end-marker 
! 
no logging console 
! 
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
ip cef 
! 
! 
! 
! 
ip flow-cache timeout active 1 
no ip domain lookup 
ip auth-proxy max-nodata-conns 3 
ip admission max-nodata-conns 3 
! 
! 
! 
! 
! 
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15 
 encr aes 
 hash md5 
 authentication pre-share 
 group 2 
! 
crypto isakmp policy 20 
 encr aes 256 
 authentication pre-share 
 group 2 
 lifetime 28800 
! 
crypto isakmp policy 25 
 encr 3des 
 authentication pre-share 
 group 2 
crypto isakmp xxx address x.x.x.x 
crypto isakmp key xxxx address x.x.x.x 
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 
! 
crypto isakmp client configuration group 3000clients
 key xxx
 dns x.x.x.x
 wins x.x.x.x
 domain abc.net
 pool ippool

! 
crypto ipsec transform-set tset esp-aes 
 mode transport 
crypto ipsec transform-set crazy_johns_tset esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set tset_vodafone esp-3des esp-sha-hmac 
crypto ipsec transform-set myset esp-3des esp-md5-hmac
! 
crypto ipsec profile cisco 
 set transform-set tset 
! 
!
crypto dynamic-map dynmap 170
 set transform-set myset
!
!
crypto map cj_map client authentication list userauthen
crypto map cj_map isakmp authorization list groupauthor
crypto map cj_map client configuration address respond
crypto map cj_map 10 ipsec-isakmp 
 set peer x.x.x.x 
 set transform-set crazy_johns_tset 
 match address 102 
crypto map cj_map 160 ipsec-isakmp 
 set peer x.x.x.x
 set transform-set tset_vodafone 
 match address vodafone_vpn_acl 
! 
! 
! 
interface Tunnel0 
 ip address 172.20.1.1 255.255.0.0 
 no ip redirects 
 ip mtu 1400 
 ip nhrp authentication xxx 
 ip nhrp map multicast dynamic 
 ip nhrp network-id 1 
 ip tcp adjust-mss 1360 
 qos pre-classify 
 tunnel source 203.38.180.222 
 tunnel mode gre multipoint 
 tunnel key xxx 
 tunnel protection ipsec profile cisco 
! 
interface FastEthernet0/0 
 ip address 203.38.180.222 255.255.255.224 
 ip nat outside 
 ip virtual-reassembly 
 ip route-cache flow 
 duplex auto 
 speed auto 
 crypto map cj_map 
! 
interface FastEthernet0/1 
 ip address 172.16.0.194 255.255.255.248 
 ip nat inside 
 ip virtual-reassembly 
 ip route-cache flow 
 duplex auto 
 speed auto 
! 
router eigrp 2 
 redistribute static route-map test 
 network 172.16.0.192 0.0.0.7 
 network 172.20.0.0 
 distance eigrp 180 180 
 no auto-summary 
! 
! 
ip local pool ippool 14.1.1.1 14.1.1.20
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 203.38.180.193 
ip route 10.0.8.0 255.255.255.0 172.16.0.193 
ip route 14.0.0.0 255.0.0.0 FastEthernet0/0
! 
ip nat pool abc 203.38.180.200 203.38.180.200 netmask 255.255.255.224 
ip nat inside source list 101 pool abc overload 
! 
ip access-list extended vodafone_vpn_acl 
 permit ip host 203.38.180.200 host 203.20.33.225 
 permit ip host 203.38.180.200 host 203.20.33.226 
 permit ip host 203.38.180.200 host 203.20.33.227 
 permit ip host 203.38.180.200 host 203.20.33.228 
 permit ip host 203.38.180.200 host 203.20.33.229 
 permit ip host 203.38.180.200 host 203.20.32.34 
 permit ip host 203.38.180.200 host 203.20.33.239 
 deny   gre any any 
 deny   ip any any 
  
  
access-list 1 permit 10.0.8.0 0.0.0.255 
access-list 101 remark Natting ACLL 
access-list 101 permit udp any host 203.20.33.4 eq isakmp 
access-list 101 permit ip any 203.20.33.224 0.0.0.31 
access-list 101 deny   udp any any eq isakmp 
access-list 101 deny   gre any any 
access-list 101 deny   ip 10.152.0.0 0.0.0.255 10.154.102.0 0.0.0.255 
access-list 101 deny   ip 10.0.9.0 0.0.0.255 10.144.38.0 0.0.0.255 
access-list 101 deny   ip 10.152.0.0 0.0.0.255 10.154.23.0 0.0.0.255 
access-list 101 deny   ip 10.152.0.0 0.0.0.255 172.26.0.64 0.0.0.63 
access-list 101 deny   ip 10.0.8.0 0.0.0.255 172.26.0.64 0.0.0.63 
access-list 101 deny   ip 10.152.0.0 0.0.0.255 10.152.61.0 0.0.0.255 
access-list 101 permit ip any any 
access-list 102 CrazyJohns Interesting traffic 
access-list 102 permit ip 10.152.0.0 0.0.0.255 172.26.0.64 0.0.0.63 
access-list 102 permit ip host 10.0.8.35 172.26.0.64 0.0.0.63 
access-list 102 permit ip host 10.0.8.36 172.26.0.64 0.0.0.63 
access-list 102 permit ip host 10.0.8.37 172.26.0.64 0.0.0.63 
access-list 102 deny   gre any any 
access-list 102 deny   ip any any 
  
! 
route-map test permit 10 
 match ip address 1 
! 
! 
! 
control-plane 
! 
! 
! 
line con 0 
line aux 0 
line vty 0 4 
 login local 
! 
scheduler allocate 20000 1000 
end

Open in new window

0
 

Author Comment

by:nabeel92
ID: 26185695
Hi Guys,
am having a read on google now and the term i've come across is split tunneling. It's saying that I need to enable split tunneling on the vpn-router for my user to have vpn as well as internet access at the same time. Am trying to find a config for that now !
0
 

Accepted Solution

by:
nabeel92 earned 0 total points
ID: 26186422
Ok...All I had to do was to add an ACL entry in the client group telling it which networks are secured and which not..once that was done, i didnt loose my internet connectivity as the internet traffic went unsecured and traffic to specific hosts went secured i.e. The ones in ACL.

Given below is my entry

Extended IP access list split-tunnel-acl
    5 permit ip 172.16.0.192 0.0.0.7 14.0.0.0 0.255.255.255
    7 permit ip 172.16.0.16 0.0.0.7 14.0.0.0 0.255.255.255
    10 permit ip 10.0.8.0 0.0.0.255 14.0.0.0 0.255.255.255
    15 permit ip 10.0.9.0 0.0.0.255 14.0.0.0 0.255.255.255

and then call this ACL in VPN clients group

crypto isakmp client configuration group 3000clients
acl split-tunnel-acl

But I've come across another weird issue during this implementation...I can access the internet fine, no problem but If I try to ping my private host via vpn; in this case a private server 10.0.8.35, one ping works and next one times out, 3rd one works and fourth times out. can't figure out why that might happen ? Given below is the output

C:\Documents and Settings\user1\Desktop>ping 10.0.8.35 -t

Pinging 10.0.8.35 with 32 bytes of data:

Reply from 10.0.8.35: bytes=32 time=84ms TTL=125
Request timed out.
Reply from 10.0.8.35: bytes=32 time=82ms TTL=125
Request timed out.

Ping statistics for 10.0.8.35:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 82ms, Maximum = 84ms, Average = 83ms
Control-C
^C
C:\Documents and Settings\user1\Desktop>tracert 10.0.8.35

Tracing route to 10.0.8.35 over a maximum of 30 hops

  1    66 ms   255 ms    66 ms  203.38.180.222
  2     *      204 ms     *     172.16.0.193
  3     *       67 ms     *     10.0.8.35
  4   241 ms     *       68 ms  10.0.8.35

Trace complete.

A bit about the setup.

VPN Router <---> Core-Router-2 <---> connected to private network 10.0.8.x and 10.0.9.x

Core-Router-2 has a route to 14.0.0.0 destination to go to VPN router.
0
 

Author Comment

by:nabeel92
ID: 26186577
Ok, i missed that command of reverse route and after that, no issues. ping was just fine after that !
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question