kings, Any luck? what could be reason for internet going down after VPN is established? On Tue, Oct 11, 2011 at 4:48 PM, yusef sheriff <[email protected]> wrote:
> Yes. default route is point to dialer interface > > route information without VPN DOWN. > > S* 0.0.0.0/0 [1/0] via 82.178.108.1 > is directly connected, Dialer1 > 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks > C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 > L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 > 82.0.0.0/32 is subnetted, 2 subnets > C 82.178.108.1 is directly connected, Dialer1 > C 82.178.111.131 is directly connected, Dialer1 > 172.23.0.0/24 is subnetted, 2 subnets > S 172.23.1.0 [1/0] via 10.10.10.2 > S 172.23.2.0 [1/0] via 10.10.10.2 > > route information with VPN UP > > S* 0.0.0.0/0 [1/0] via 82.178.108.1 > is directly connected, Dialer1 > 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks > C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 > L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 > 82.0.0.0/32 is subnetted, 2 subnets > C 82.178.108.1 is directly connected, Dialer1 > C 82.178.111.131 is directly connected, Dialer1 > 172.23.0.0/24 is subnetted, 2 subnets > S 172.23.1.0 [1/0] via 10.10.10.2 > S 172.23.2.0 [1/0] via 10.10.10.2 > > > On Tue, Oct 11, 2011 at 4:42 PM, Kingsley Charles < > [email protected]> wrote: > >> Interesting, did you check your routing table? >> >> With regards >> Kings >> >> >> On Tue, Oct 11, 2011 at 6:11 PM, yusef sheriff <[email protected]>wrote: >> >>> Yes.only 172.16.0.0 is reachable. >>> >>> >>> On Tue, Oct 11, 2011 at 4:37 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> With split tunnleings, the destination entry of the ACL is ignored and >>>> hence you can see that split tunneling entry 1, 2 and 3 are same. Just an >>>> info that has nothing to do with the Internet disconnectivity. >>>> >>>> >>>> Now, is destinations other than 172.16.0.0/16 not reachable for you? >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Oct 11, 2011 at 5:18 PM, yusef sheriff <[email protected]>wrote: >>>> >>>>> please find the output below:- >>>>> >>>>> Router#sh crypto ipsec client ez >>>>> Router#sh crypto ipsec client ezvpn >>>>> Easy VPN Remote Phase: 8 >>>>> >>>>> Tunnel name : ASA >>>>> Inside interface list: GigabitEthernet0/0 >>>>> Outside interface: Dialer1 >>>>> Connect : ACL based with access-list 105 >>>>> Current State: IPSEC_ACTIVE >>>>> Last Event: MTU_CHANGED >>>>> DNS Primary: 172.16.1.95 >>>>> Default Domain: habtoorengg.co.ae >>>>> Save Password: Allowed >>>>> Split Tunnel List: 1 >>>>> Address : 172.16.0.0 >>>>> Mask : 255.255.0.0 >>>>> Protocol : 0x0 >>>>> Source Port: 0 >>>>> Dest Port : 0 >>>>> Split Tunnel List: 2 >>>>> Address : 172.16.0.0 >>>>> Mask : 255.255.0.0 >>>>> Protocol : 0x0 >>>>> Source Port: 0 >>>>> Dest Port : 0 >>>>> Split Tunnel List: 3 >>>>> Address : 172.16.0.0 >>>>> Mask : 255.255.0.0 >>>>> Protocol : 0x0 >>>>> Source Port: 0 >>>>> Dest Port : 0 >>>>> Current EzVPN Peer: 213.42.108.130 >>>>> >>>>> >>>>> On Tue, Oct 11, 2011 at 2:28 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> Can you paste the "sh crypto ipsec client ezvpn" O/P. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Tue, Oct 11, 2011 at 3:15 PM, yusef sheriff >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> Yes. its configured. ASA configuration: >>>>>>> >>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>> 172.16.0.0 255.255.0.0 172.23.1.0 255.255.255.0 >>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>> 172.16.0.0 255.255.0.0 172.23.2.0 255.255.255.0 >>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>> 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0 >>>>>>> >>>>>>> group-policy aooman attributes >>>>>>> vpn-tunnel-protocol IPSec >>>>>>> password-storage enable >>>>>>> split-tunnel-policy tunnelspecified >>>>>>> split-tunnel-network-list value omanao-tunnel_splitTunnelAcl_1 >>>>>>> default-domain value habtoorengg.co.ae >>>>>>> nem enable >>>>>>> >>>>>>> tunnel-group aooman type remote-access >>>>>>> tunnel-group aooman general-attributes >>>>>>> default-group-policy aooman >>>>>>> tunnel-group aooman ipsec-attributes >>>>>>> pre-shared-key * >>>>>>> >>>>>>> crypto map are starndard configuration >>>>>>> >>>>>>> On Tue, Oct 11, 2011 at 1:35 PM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Have you configured split tunneling on the ASA? >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I have configured EZVPN server on ASA and remote clien is IOS >>>>>>>>> router. VPN is able connect without any issue. But in remote clients >>>>>>>>> are >>>>>>>>> loosing the internet connectivity, NAT translation becomes empty once >>>>>>>>> I >>>>>>>>> applied the crypto ipsec ezvpn outside in dialer interfaces below is >>>>>>>>> configuration of router. >>>>>>>>> >>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 >>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= >>>>>>>>> sh run >>>>>>>>> Building configuration... >>>>>>>>> Current configuration : 2999 bytes >>>>>>>>> ! >>>>>>>>> ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 >>>>>>>>> ! >>>>>>>>> version 15.0 >>>>>>>>> service config >>>>>>>>> service timestamps debug datetime msec >>>>>>>>> service timestamps log datetime msec >>>>>>>>> service password-encryption >>>>>>>>> ! >>>>>>>>> hostname Router >>>>>>>>> ! >>>>>>>>> boot-start-marker >>>>>>>>> boot-end-marker >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> no aaa new-model >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> --More-- ! >>>>>>>>> ! >>>>>>>>> no ipv6 cef >>>>>>>>> ip source-route >>>>>>>>> ip cef >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> redundancy >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> --More-- ! >>>>>>>>> crypto ipsec client ezvpn ASA >>>>>>>>> connect acl 105 >>>>>>>>> group aooman key hlg2oma@vpn >>>>>>>>> mode network-extension >>>>>>>>> peer 213.42.108.130 >>>>>>>>> username hlgoman password us@hlom >>>>>>>>> xauth userid mode local >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> interface GigabitEthernet0/0 >>>>>>>>> ip address 10.10.10.1 255.255.255.0 >>>>>>>>> ip access-group 100 out >>>>>>>>> ip nat inside >>>>>>>>> ip virtual-reassembly >>>>>>>>> duplex auto >>>>>>>>> speed auto >>>>>>>>> crypto ipsec client ezvpn ASA inside >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> --More-- interface GigabitEthernet0/1 >>>>>>>>> no ip address >>>>>>>>> duplex auto >>>>>>>>> speed auto >>>>>>>>> pppoe enable group global >>>>>>>>> pppoe-client dial-pool-number 1 >>>>>>>>> no cdp enable >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> interface GigabitEthernet0/2 >>>>>>>>> no ip address >>>>>>>>> shutdown >>>>>>>>> duplex auto >>>>>>>>> speed auto >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> interface Dialer0 >>>>>>>>> no ip address >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> interface Dialer1 >>>>>>>>> ip address negotiated >>>>>>>>> ip access-group 101 in >>>>>>>>> --More-- ip mtu 1492 >>>>>>>>> ip nat outside >>>>>>>>> ip virtual-reassembly >>>>>>>>> encapsulation ppp >>>>>>>>> ip tcp adjust-mss 1452 >>>>>>>>> dialer pool 1 >>>>>>>>> dialer-group 1 >>>>>>>>> ppp authentication chap pap callin >>>>>>>>> ppp chap hostname hlgoman >>>>>>>>> ppp chap password 7 15160D1A503A797C2E >>>>>>>>> ppp pap sent-username hlgoman password 7 06020937185E5B410357 >>>>>>>>> ppp ipcp dns request accept >>>>>>>>> ppp ipcp route default >>>>>>>>> ppp ipcp address accept >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ip forward-protocol nd >>>>>>>>> ! >>>>>>>>> no ip http server >>>>>>>>> no ip http secure-server >>>>>>>>> ! >>>>>>>>> ip nat inside source route-map nonat interface Dialer1 overload >>>>>>>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>>>>>>> --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 >>>>>>>>> ip route 172.23.2.0 255.255.255.0 10.10.10.2 >>>>>>>>> ! >>>>>>>>> ip access-list extended VPN_ACCESS >>>>>>>>> deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>> deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>> deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>> permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>> permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>> permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>> ! >>>>>>>>> access-list 10 permit 172.23.2.0 0.0.0.255 >>>>>>>>> access-list 10 permit 172.23.1.0 0.0.0.255 >>>>>>>>> access-list 10 permit 10.10.10.0 0.0.0.255 >>>>>>>>> access-list 100 permit ip any any >>>>>>>>> access-list 101 permit ip any any >>>>>>>>> access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 >>>>>>>>> 0.0.255.255 >>>>>>>>> access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 >>>>>>>>> 0.0.255.255 >>>>>>>>> access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 >>>>>>>>> 0.0.255.255 >>>>>>>>> access-list 106 permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>> access-list 106 permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>> access-list 106 permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>> dialer-list 1 protocol ip permit >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> route-map EVPN permit 1 >>>>>>>>> match ip address 105 >>>>>>>>> ! >>>>>>>>> route-map nonat permit 10 >>>>>>>>> match ip address VPN_ACCESS >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> control-plane >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> ! >>>>>>>>> line con 0 >>>>>>>>> line aux 0 >>>>>>>>> line vty 0 4 >>>>>>>>> password 7 07062C584F0A485744 >>>>>>>>> login >>>>>>>>> ! >>>>>>>>> scheduler allocate 20000 1000 >>>>>>>>> --More-- end >>>>>>>>> Router# >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>> please visit www.ipexpert.com >>>>>>>>> >>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
