No, I am not able to ping the public IP address.. Regards, yusef
On Sat, Oct 22, 2011 at 2:48 PM, Kingsley Charles < [email protected]> wrote: > When you say, you can't reach internet, what do you actually mean? Can't > you ping any IP address on the Internet? > > With regards > Kings > > > On Sat, Oct 22, 2011 at 10:34 AM, yusef sheriff <[email protected]>wrote: > >> kings, >> >> Any luck? what could be reason for internet going down after VPN is >> established? >> On Tue, Oct 11, 2011 at 4:48 PM, yusef sheriff <[email protected]>wrote: >> >>> Yes. default route is point to dialer interface >>> >>> route information without VPN DOWN. >>> >>> S* 0.0.0.0/0 [1/0] via 82.178.108.1 >>> is directly connected, Dialer1 >>> 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks >>> C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 >>> L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 >>> 82.0.0.0/32 is subnetted, 2 subnets >>> C 82.178.108.1 is directly connected, Dialer1 >>> C 82.178.111.131 is directly connected, Dialer1 >>> 172.23.0.0/24 is subnetted, 2 subnets >>> S 172.23.1.0 [1/0] via 10.10.10.2 >>> S 172.23.2.0 [1/0] via 10.10.10.2 >>> >>> route information with VPN UP >>> >>> S* 0.0.0.0/0 [1/0] via 82.178.108.1 >>> is directly connected, Dialer1 >>> 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks >>> C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 >>> L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 >>> 82.0.0.0/32 is subnetted, 2 subnets >>> C 82.178.108.1 is directly connected, Dialer1 >>> C 82.178.111.131 is directly connected, Dialer1 >>> 172.23.0.0/24 is subnetted, 2 subnets >>> S 172.23.1.0 [1/0] via 10.10.10.2 >>> S 172.23.2.0 [1/0] via 10.10.10.2 >>> >>> >>> On Tue, Oct 11, 2011 at 4:42 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Interesting, did you check your routing table? >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Oct 11, 2011 at 6:11 PM, yusef sheriff <[email protected]>wrote: >>>> >>>>> Yes.only 172.16.0.0 is reachable. >>>>> >>>>> >>>>> On Tue, Oct 11, 2011 at 4:37 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> With split tunnleings, the destination entry of the ACL is ignored and >>>>>> hence you can see that split tunneling entry 1, 2 and 3 are same. Just an >>>>>> info that has nothing to do with the Internet disconnectivity. >>>>>> >>>>>> >>>>>> Now, is destinations other than 172.16.0.0/16 not reachable for you? >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Tue, Oct 11, 2011 at 5:18 PM, yusef sheriff >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> please find the output below:- >>>>>>> >>>>>>> Router#sh crypto ipsec client ez >>>>>>> Router#sh crypto ipsec client ezvpn >>>>>>> Easy VPN Remote Phase: 8 >>>>>>> >>>>>>> Tunnel name : ASA >>>>>>> Inside interface list: GigabitEthernet0/0 >>>>>>> Outside interface: Dialer1 >>>>>>> Connect : ACL based with access-list 105 >>>>>>> Current State: IPSEC_ACTIVE >>>>>>> Last Event: MTU_CHANGED >>>>>>> DNS Primary: 172.16.1.95 >>>>>>> Default Domain: habtoorengg.co.ae >>>>>>> Save Password: Allowed >>>>>>> Split Tunnel List: 1 >>>>>>> Address : 172.16.0.0 >>>>>>> Mask : 255.255.0.0 >>>>>>> Protocol : 0x0 >>>>>>> Source Port: 0 >>>>>>> Dest Port : 0 >>>>>>> Split Tunnel List: 2 >>>>>>> Address : 172.16.0.0 >>>>>>> Mask : 255.255.0.0 >>>>>>> Protocol : 0x0 >>>>>>> Source Port: 0 >>>>>>> Dest Port : 0 >>>>>>> Split Tunnel List: 3 >>>>>>> Address : 172.16.0.0 >>>>>>> Mask : 255.255.0.0 >>>>>>> Protocol : 0x0 >>>>>>> Source Port: 0 >>>>>>> Dest Port : 0 >>>>>>> Current EzVPN Peer: 213.42.108.130 >>>>>>> >>>>>>> >>>>>>> On Tue, Oct 11, 2011 at 2:28 PM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Can you paste the "sh crypto ipsec client ezvpn" O/P. >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Oct 11, 2011 at 3:15 PM, yusef sheriff <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> Yes. its configured. ASA configuration: >>>>>>>>> >>>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>>> 172.16.0.0 255.255.0.0 172.23.1.0 255.255.255.0 >>>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>>> 172.16.0.0 255.255.0.0 172.23.2.0 255.255.255.0 >>>>>>>>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip >>>>>>>>> 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0 >>>>>>>>> >>>>>>>>> group-policy aooman attributes >>>>>>>>> vpn-tunnel-protocol IPSec >>>>>>>>> password-storage enable >>>>>>>>> split-tunnel-policy tunnelspecified >>>>>>>>> split-tunnel-network-list value omanao-tunnel_splitTunnelAcl_1 >>>>>>>>> default-domain value habtoorengg.co.ae >>>>>>>>> nem enable >>>>>>>>> >>>>>>>>> tunnel-group aooman type remote-access >>>>>>>>> tunnel-group aooman general-attributes >>>>>>>>> default-group-policy aooman >>>>>>>>> tunnel-group aooman ipsec-attributes >>>>>>>>> pre-shared-key * >>>>>>>>> >>>>>>>>> crypto map are starndard configuration >>>>>>>>> >>>>>>>>> On Tue, Oct 11, 2011 at 1:35 PM, Kingsley Charles < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Have you configured split tunneling on the ASA? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi All, >>>>>>>>>>> >>>>>>>>>>> I have configured EZVPN server on ASA and remote clien is IOS >>>>>>>>>>> router. VPN is able connect without any issue. But in remote >>>>>>>>>>> clients are >>>>>>>>>>> loosing the internet connectivity, NAT translation becomes empty >>>>>>>>>>> once I >>>>>>>>>>> applied the crypto ipsec ezvpn outside in dialer interfaces below is >>>>>>>>>>> configuration of router. >>>>>>>>>>> >>>>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 >>>>>>>>>>> =~=~=~=~=~=~=~=~=~=~=~= >>>>>>>>>>> sh run >>>>>>>>>>> Building configuration... >>>>>>>>>>> Current configuration : 2999 bytes >>>>>>>>>>> ! >>>>>>>>>>> ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 >>>>>>>>>>> ! >>>>>>>>>>> version 15.0 >>>>>>>>>>> service config >>>>>>>>>>> service timestamps debug datetime msec >>>>>>>>>>> service timestamps log datetime msec >>>>>>>>>>> service password-encryption >>>>>>>>>>> ! >>>>>>>>>>> hostname Router >>>>>>>>>>> ! >>>>>>>>>>> boot-start-marker >>>>>>>>>>> boot-end-marker >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> no aaa new-model >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> --More-- ! >>>>>>>>>>> ! >>>>>>>>>>> no ipv6 cef >>>>>>>>>>> ip source-route >>>>>>>>>>> ip cef >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> redundancy >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> --More-- ! >>>>>>>>>>> crypto ipsec client ezvpn ASA >>>>>>>>>>> connect acl 105 >>>>>>>>>>> group aooman key hlg2oma@vpn >>>>>>>>>>> mode network-extension >>>>>>>>>>> peer 213.42.108.130 >>>>>>>>>>> username hlgoman password us@hlom >>>>>>>>>>> xauth userid mode local >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> interface GigabitEthernet0/0 >>>>>>>>>>> ip address 10.10.10.1 255.255.255.0 >>>>>>>>>>> ip access-group 100 out >>>>>>>>>>> ip nat inside >>>>>>>>>>> ip virtual-reassembly >>>>>>>>>>> duplex auto >>>>>>>>>>> speed auto >>>>>>>>>>> crypto ipsec client ezvpn ASA inside >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> --More-- interface GigabitEthernet0/1 >>>>>>>>>>> no ip address >>>>>>>>>>> duplex auto >>>>>>>>>>> speed auto >>>>>>>>>>> pppoe enable group global >>>>>>>>>>> pppoe-client dial-pool-number 1 >>>>>>>>>>> no cdp enable >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> interface GigabitEthernet0/2 >>>>>>>>>>> no ip address >>>>>>>>>>> shutdown >>>>>>>>>>> duplex auto >>>>>>>>>>> speed auto >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> interface Dialer0 >>>>>>>>>>> no ip address >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> interface Dialer1 >>>>>>>>>>> ip address negotiated >>>>>>>>>>> ip access-group 101 in >>>>>>>>>>> --More-- ip mtu 1492 >>>>>>>>>>> ip nat outside >>>>>>>>>>> ip virtual-reassembly >>>>>>>>>>> encapsulation ppp >>>>>>>>>>> ip tcp adjust-mss 1452 >>>>>>>>>>> dialer pool 1 >>>>>>>>>>> dialer-group 1 >>>>>>>>>>> ppp authentication chap pap callin >>>>>>>>>>> ppp chap hostname hlgoman >>>>>>>>>>> ppp chap password 7 15160D1A503A797C2E >>>>>>>>>>> ppp pap sent-username hlgoman password 7 06020937185E5B410357 >>>>>>>>>>> ppp ipcp dns request accept >>>>>>>>>>> ppp ipcp route default >>>>>>>>>>> ppp ipcp address accept >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ip forward-protocol nd >>>>>>>>>>> ! >>>>>>>>>>> no ip http server >>>>>>>>>>> no ip http secure-server >>>>>>>>>>> ! >>>>>>>>>>> ip nat inside source route-map nonat interface Dialer1 overload >>>>>>>>>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>>>>>>>>> --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 >>>>>>>>>>> ip route 172.23.2.0 255.255.255.0 10.10.10.2 >>>>>>>>>>> ! >>>>>>>>>>> ip access-list extended VPN_ACCESS >>>>>>>>>>> deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>>> deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>>> deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>>>>>>>> permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>>>> permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>>>> permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>>>> ! >>>>>>>>>>> access-list 10 permit 172.23.2.0 0.0.0.255 >>>>>>>>>>> access-list 10 permit 172.23.1.0 0.0.0.255 >>>>>>>>>>> access-list 10 permit 10.10.10.0 0.0.0.255 >>>>>>>>>>> access-list 100 permit ip any any >>>>>>>>>>> access-list 101 permit ip any any >>>>>>>>>>> access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 >>>>>>>>>>> 0.0.255.255 >>>>>>>>>>> access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 >>>>>>>>>>> 0.0.255.255 >>>>>>>>>>> access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 >>>>>>>>>>> 0.0.255.255 >>>>>>>>>>> access-list 106 permit ip 172.23.1.0 0.0.0.255 any >>>>>>>>>>> access-list 106 permit ip 172.23.2.0 0.0.0.255 any >>>>>>>>>>> access-list 106 permit ip 10.10.10.0 0.0.0.255 any >>>>>>>>>>> dialer-list 1 protocol ip permit >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> route-map EVPN permit 1 >>>>>>>>>>> match ip address 105 >>>>>>>>>>> ! >>>>>>>>>>> route-map nonat permit 10 >>>>>>>>>>> match ip address VPN_ACCESS >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> control-plane >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> ! >>>>>>>>>>> line con 0 >>>>>>>>>>> line aux 0 >>>>>>>>>>> line vty 0 4 >>>>>>>>>>> password 7 07062C584F0A485744 >>>>>>>>>>> login >>>>>>>>>>> ! >>>>>>>>>>> scheduler allocate 20000 1000 >>>>>>>>>>> --More-- end >>>>>>>>>>> Router# >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>> >>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
