When you say, you can't reach internet, what do you actually mean? Can't you ping any IP address on the Internet?
With regards Kings On Sat, Oct 22, 2011 at 10:34 AM, yusef sheriff <[email protected]> wrote: > kings, > > Any luck? what could be reason for internet going down after VPN is > established? > On Tue, Oct 11, 2011 at 4:48 PM, yusef sheriff <[email protected]>wrote: > >> Yes. default route is point to dialer interface >> >> route information without VPN DOWN. >> >> S* 0.0.0.0/0 [1/0] via 82.178.108.1 >> is directly connected, Dialer1 >> 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks >> C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 >> L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 >> 82.0.0.0/32 is subnetted, 2 subnets >> C 82.178.108.1 is directly connected, Dialer1 >> C 82.178.111.131 is directly connected, Dialer1 >> 172.23.0.0/24 is subnetted, 2 subnets >> S 172.23.1.0 [1/0] via 10.10.10.2 >> S 172.23.2.0 [1/0] via 10.10.10.2 >> >> route information with VPN UP >> >> S* 0.0.0.0/0 [1/0] via 82.178.108.1 >> is directly connected, Dialer1 >> 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks >> C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 >> L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 >> 82.0.0.0/32 is subnetted, 2 subnets >> C 82.178.108.1 is directly connected, Dialer1 >> C 82.178.111.131 is directly connected, Dialer1 >> 172.23.0.0/24 is subnetted, 2 subnets >> S 172.23.1.0 [1/0] via 10.10.10.2 >> S 172.23.2.0 [1/0] via 10.10.10.2 >> >> >> On Tue, Oct 11, 2011 at 4:42 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Interesting, did you check your routing table? >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Oct 11, 2011 at 6:11 PM, yusef sheriff <[email protected]>wrote: >>> >>>> Yes.only 172.16.0.0 is reachable. >>>> >>>> >>>> On Tue, Oct 11, 2011 at 4:37 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> With split tunnleings, the destination entry of the ACL is ignored and >>>>> hence you can see that split tunneling entry 1, 2 and 3 are same. Just an >>>>> info that has nothing to do with the Internet disconnectivity. >>>>> >>>>> >>>>> Now, is destinations other than 172.16.0.0/16 not reachable for you? >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Tue, Oct 11, 2011 at 5:18 PM, yusef sheriff <[email protected]>wrote: >>>>> >>>>>> please find the output below:- >>>>>> >>>>>> Router#sh crypto ipsec client ez >>>>>> Router#sh crypto ipsec client ezvpn >>>>>> Easy VPN Remote Phase: 8 >>>>>> >>>>>> Tunnel name : ASA >>>>>> Inside interface list: GigabitEthernet0/0 >>>>>> Outside interface: Dialer1 >>>>>> Connect : ACL based with access-list 105 >>>>>> Current State: IPSEC_ACTIVE >>>>>> Last Event: MTU_CHANGED >>>>>> DNS Primary: 172.16.1.95 >>>>>> Default Domain: habtoorengg.co.ae >>>>>> Save Password: Allowed >>>>>> Split Tunnel List: 1 >>>>>> Address : 172.16.0.0 >>>>>> Mask : 255.255.0.0 >>>>>> Protocol : 0x0 >>>>>> Source Port: 0 >>>>>> Dest Port : 0 >>>>>> Split Tunnel List: 2 >>>>>> Address : 172.16.0.0 >>>>>> Mask : 255.255.0.0 >>>>>> Protocol : 0x0 >>>>>> Source Port: 0 >>>>>> Dest Port : 0 >>>>>> Split Tunnel List: 3 >>>>>> Address : 172.16.0.0 >>>>>> Mask : 255.255.0.0 >>>>>> Protocol : 0x0 >>>>>> Source Port: 0 >>>>>> Dest Port : 0 >>>>>> Current EzVPN Peer: 213.42.108.130 >>>>>> >>>>>> >>>>>> On Tue, Oct 11, 2011 at 2:28 PM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Can you paste the "sh crypto ipsec client ezvpn" O/P. >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Tue, Oct 11, 2011 at 3:15 PM, yusef sheriff >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> Yes. its configured. ASA configuration: >>>>>>>> >>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>> 172.16.0.0 255.255.0.0 172.23.1.0 255.255.255.0 >>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>> 172.16.0.0 255.255.0.0 172.23.2.0 255.255.255.0 >>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>> 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0 >>>>>>>> >>>>>>>> group-policy aooman attributes >>>>>>>> vpn-tunnel-protocol IPSec >>>>>>>> password-storage enable >>>>>>>> split-tunnel-policy tunnelspecified >>>>>>>> split-tunnel-network-list value omanao-tunnel_splitTunnelAcl_1 >>>>>>>> default-domain value habtoorengg.co.ae >>>>>>>> nem enable >>>>>>>> >>>>>>>> tunnel-group aooman type remote-access >>>>>>>> tunnel-group aooman general-attributes >>>>>>>> default-group-policy aooman >>>>>>>> tunnel-group aooman ipsec-attributes >>>>>>>> pre-shared-key * >>>>>>>> >>>>>>>> crypto map are starndard configuration >>>>>>>> >>>>>>>> On Tue, Oct 11, 2011 at 1:35 PM, Kingsley Charles < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Have you configured split tunneling on the ASA? >>>>>>>>> >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I have configured EZVPN server on ASA and remote clien is IOS >>>>>>>>>> router. VPN is able connect without any issue. But in remote clients >>>>>>>>>> are >>>>>>>>>> loosing the internet connectivity, NAT translation becomes empty >>>>>>>>>> once I >>>>>>>>>> applied the crypto ipsec ezvpn outside in dialer interfaces below is >>>>>>>>>> configuration of router. >>>>>>>>>> >>>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 >>>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= >>>>>>>>>> sh run >>>>>>>>>> Building configuration... >>>>>>>>>> Current configuration : 2999 bytes >>>>>>>>>> ! >>>>>>>>>> ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 >>>>>>>>>> ! >>>>>>>>>> version 15.0 >>>>>>>>>> service config >>>>>>>>>> service timestamps debug datetime msec >>>>>>>>>> service timestamps log datetime msec >>>>>>>>>> service password-encryption >>>>>>>>>> ! >>>>>>>>>> hostname Router >>>>>>>>>> ! >>>>>>>>>> boot-start-marker >>>>>>>>>> boot-end-marker >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> no aaa new-model >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> --More-- ! >>>>>>>>>> ! >>>>>>>>>> no ipv6 cef >>>>>>>>>> ip source-route >>>>>>>>>> ip cef >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> redundancy >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> --More-- ! >>>>>>>>>> crypto ipsec client ezvpn ASA >>>>>>>>>> connect acl 105 >>>>>>>>>> group aooman key hlg2oma@vpn >>>>>>>>>> mode network-extension >>>>>>>>>> peer 213.42.108.130 >>>>>>>>>> username hlgoman password us@hlom >>>>>>>>>> xauth userid mode local >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> interface GigabitEthernet0/0 >>>>>>>>>> ip address 10.10.10.1 255.255.255.0 >>>>>>>>>> ip access-group 100 out >>>>>>>>>> ip nat inside >>>>>>>>>> ip virtual-reassembly >>>>>>>>>> duplex auto >>>>>>>>>> speed auto >>>>>>>>>> crypto ipsec client ezvpn ASA inside >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> --More-- interface GigabitEthernet0/1 >>>>>>>>>> no ip address >>>>>>>>>> duplex auto >>>>>>>>>> speed auto >>>>>>>>>> pppoe enable group global >>>>>>>>>> pppoe-client dial-pool-number 1 >>>>>>>>>> no cdp enable >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> interface GigabitEthernet0/2 >>>>>>>>>> no ip address >>>>>>>>>> shutdown >>>>>>>>>> duplex auto >>>>>>>>>> speed auto >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> interface Dialer0 >>>>>>>>>> no ip address >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> interface Dialer1 >>>>>>>>>> ip address negotiated >>>>>>>>>> ip access-group 101 in >>>>>>>>>> --More-- ip mtu 1492 >>>>>>>>>> ip nat outside >>>>>>>>>> ip virtual-reassembly >>>>>>>>>> encapsulation ppp >>>>>>>>>> ip tcp adjust-mss 1452 >>>>>>>>>> dialer pool 1 >>>>>>>>>> dialer-group 1 >>>>>>>>>> ppp authentication chap pap callin >>>>>>>>>> ppp chap hostname hlgoman >>>>>>>>>> ppp chap password 7 15160D1A503A797C2E >>>>>>>>>> ppp pap sent-username hlgoman password 7 06020937185E5B410357 >>>>>>>>>> ppp ipcp dns request accept >>>>>>>>>> ppp ipcp route default >>>>>>>>>> ppp ipcp address accept >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ip forward-protocol nd >>>>>>>>>> ! >>>>>>>>>> no ip http server >>>>>>>>>> no ip http secure-server >>>>>>>>>> ! >>>>>>>>>> ip nat inside source route-map nonat interface Dialer1 overload >>>>>>>>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>>>>>>>> --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 >>>>>>>>>> ip route 172.23.2.0 255.255.255.0 10.10.10.2 >>>>>>>>>> ! >>>>>>>>>> ip access-list extended VPN_ACCESS >>>>>>>>>> deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>> deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>> deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>> permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>>> permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>>> permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>>> ! >>>>>>>>>> access-list 10 permit 172.23.2.0 0.0.0.255 >>>>>>>>>> access-list 10 permit 172.23.1.0 0.0.0.255 >>>>>>>>>> access-list 10 permit 10.10.10.0 0.0.0.255 >>>>>>>>>> access-list 100 permit ip any any >>>>>>>>>> access-list 101 permit ip any any >>>>>>>>>> access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 >>>>>>>>>> 0.0.255.255 >>>>>>>>>> access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 >>>>>>>>>> 0.0.255.255 >>>>>>>>>> access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 >>>>>>>>>> 0.0.255.255 >>>>>>>>>> access-list 106 permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>>> access-list 106 permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>>> access-list 106 permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>>> dialer-list 1 protocol ip permit >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> route-map EVPN permit 1 >>>>>>>>>> match ip address 105 >>>>>>>>>> ! >>>>>>>>>> route-map nonat permit 10 >>>>>>>>>> match ip address VPN_ACCESS >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> control-plane >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> ! >>>>>>>>>> line con 0 >>>>>>>>>> line aux 0 >>>>>>>>>> line vty 0 4 >>>>>>>>>> password 7 07062C584F0A485744 >>>>>>>>>> login >>>>>>>>>> ! >>>>>>>>>> scheduler allocate 20000 1000 >>>>>>>>>> --More-- end >>>>>>>>>> Router# >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
