Yes, NAT is applied on client side, please find the NAT config below. let me know if I am missing any thing
ip nat inside source route-map nonat interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended VPN_ACCESS deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip 172.23.1.0 0.0.0.255 any permit ip 172.23.2.0 0.0.0.255 any permit ip 10.10.10.0 0.0.0.255 any ! ! ! ! ! ! route-map nonat permit 10 match ip address VPN_ACCESS ! Regards, Yusef Shereif On Sun, Oct 23, 2011 at 10:13 AM, Kamran Shakil <[email protected]>wrote: > I believe remote end of client (client side) is having NAT isn’t it ?**** > > ** ** > > If it is NATed ,did you try playing with NAT ACLs ?**** > > ** ** > > ** ** > > ** ** > > *Kamran Shakil* > > * * > > [image: CCIESecurity1][image: ccdp_design_med][image: CCNP_med][image: > jn_certified_associate_rgb]**** > > Mobile *: 00 968 9808 4652***** > > Office : *00 968 2416 1111 * > > Web: http://www.linkedin.com/in/kamranshakil**** > > ** ** > > *MidEast Data Systems LLC Oman* > > *[image: MidisGrouplogo] "MDS OMAN" is a Part of The Midis Group***** > > * * > > *Office Location/Address :* > > *Knowledge Oasis Muscat (KOM), > Rusayl-KOM 4, 6th Floor, > Office No. 0406Z1, > PO BOX:198 , PC:112 > **www.midisgroup.com***** > > **** > > ** ** > > ** ** > > *This e-mail contains confidential information belonging to the issuing* > *party > and is intended solely for the addressees. The unauthorized* *disclosure, > use, dissemination or copying (either whole or partial) of this e-mail, or > any information it contains, is prohibited. E-mails are* *susceptible to > alteration and their integrity cannot be guaranteed. The issuing party shall > not be liable for this e-mail if modified or falsified.** > > ***** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *yusef sheriff > *Sent:* Sunday, October 23, 2011 9:24 AM > *To:* Kingsley Charles > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] EZVPN Remote in IOS**** > > ** ** > > No, I am not able to ping the public IP address..**** > > **** > > Regards,**** > > yusef**** > > On Sat, Oct 22, 2011 at 2:48 PM, Kingsley Charles < > [email protected]> wrote:**** > > When you say, you can't reach internet, what do you actually mean? Can't > you ping any IP address on the Internet? > > With regards > Kings **** > > ** ** > > On Sat, Oct 22, 2011 at 10:34 AM, yusef sheriff <[email protected]> > wrote:**** > > kings,**** > > > Any luck? what could be reason for internet going down after VPN is > established?**** > > On Tue, Oct 11, 2011 at 4:48 PM, yusef sheriff <[email protected]> > wrote:**** > > Yes. default route is point to dialer interface**** > > **** > > route information without VPN DOWN.**** > > **** > > S* 0.0.0.0/0 [1/0] via 82.178.108.1 > is directly connected, Dialer1 > 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks > C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 > L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 > 82.0.0.0/32 is subnetted, 2 subnets > C 82.178.108.1 is directly connected, Dialer1 > C 82.178.111.131 is directly connected, Dialer1 > 172.23.0.0/24 is subnetted, 2 subnets > S 172.23.1.0 [1/0] via 10.10.10.2 > S 172.23.2.0 [1/0] via 10.10.10.2**** > > **** > > route information with VPN UP**** > > > S* 0.0.0.0/0 [1/0] via 82.178.108.1 > is directly connected, Dialer1 > 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks > C 10.10.10.0/24 is directly connected, GigabitEthernet0/0 > L 10.10.10.1/32 is directly connected, GigabitEthernet0/0 > 82.0.0.0/32 is subnetted, 2 subnets > C 82.178.108.1 is directly connected, Dialer1 > C 82.178.111.131 is directly connected, Dialer1 > 172.23.0.0/24 is subnetted, 2 subnets > S 172.23.1.0 [1/0] via 10.10.10.2 > S 172.23.2.0 [1/0] via 10.10.10.2**** > > > **** > > On Tue, Oct 11, 2011 at 4:42 PM, Kingsley Charles < > [email protected]> wrote:**** > > Interesting, did you check your routing table? > > With regards > Kings **** > > ** ** > > On Tue, Oct 11, 2011 at 6:11 PM, yusef sheriff <[email protected]> > wrote:**** > > Yes.only 172.16.0.0 is reachable. **** > > ** ** > > On Tue, Oct 11, 2011 at 4:37 PM, Kingsley Charles < > [email protected]> wrote:**** > > With split tunnleings, the destination entry of the ACL is ignored and > hence you can see that split tunneling entry 1, 2 and 3 are same. Just an > info that has nothing to do with the Internet disconnectivity. > > > Now, is destinations other than 172.16.0.0/16 not reachable for you? > > With regards > Kings **** > > ** ** > > On Tue, Oct 11, 2011 at 5:18 PM, yusef sheriff <[email protected]> > wrote:**** > > please find the output below:-**** > > **** > > Router#sh crypto ipsec client ez > Router#sh crypto ipsec client ezvpn > Easy VPN Remote Phase: 8**** > > Tunnel name : ASA > Inside interface list: GigabitEthernet0/0 > Outside interface: Dialer1 > Connect : ACL based with access-list 105 > Current State: IPSEC_ACTIVE > Last Event: MTU_CHANGED > DNS Primary: 172.16.1.95 > Default Domain: habtoorengg.co.ae > Save Password: Allowed > Split Tunnel List: 1 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Split Tunnel List: 2 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Split Tunnel List: 3 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Current EzVPN Peer: 213.42.108.130 > > **** > > On Tue, Oct 11, 2011 at 2:28 PM, Kingsley Charles < > [email protected]> wrote:**** > > Can you paste the "sh crypto ipsec client ezvpn" O/P. > > With regards > Kings **** > > ** ** > > On Tue, Oct 11, 2011 at 3:15 PM, yusef sheriff <[email protected]> > wrote:**** > > Yes. its configured. ASA configuration:**** > > **** > > access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0..0 > 255.255.0.0 172.23.1.0 255.255.255.0 > access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0.0 > 255.255.0.0 172.23.2.0 255.255.255.0 > access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0.0 > 255.255.0.0 10.10.10.0 255.255.255.0 **** > > **** > > group-policy aooman attributes > vpn-tunnel-protocol IPSec > password-storage enable > split-tunnel-policy tunnelspecified > split-tunnel-network-list value omanao-tunnel_splitTunnelAcl_1 > default-domain value habtoorengg.co.ae > nem enable**** > > **** > > tunnel-group aooman type remote-access > tunnel-group aooman general-attributes > default-group-policy aooman > tunnel-group aooman ipsec-attributes > pre-shared-key ***** > > **** > > crypto map are starndard configuration**** > > On Tue, Oct 11, 2011 at 1:35 PM, Kingsley Charles < > [email protected]> wrote:**** > > Have you configured split tunneling on the ASA? > > > With regards > Kings**** > > On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff <[email protected]> > wrote:**** > > Hi All,**** > > **** > > I have configured EZVPN server on ASA and remote clien is IOS router. VPN > is able connect without any issue. But in remote clients are loosing the > internet connectivity, NAT translation becomes empty once I applied the > crypto ipsec ezvpn outside in dialer interfaces below is configuration of > router.**** > > **** > > =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 > =~=~=~=~=~=~=~=~=~=~=~= > sh run > Building configuration...**** > > Current configuration : 2999 bytes > ! > ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 > ! > version 15.0 > service config > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > ! > hostname Router > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > ! > ! > ! > --More-- ! > ! > no ipv6 cef > ip source-route > ip cef > ! > ! > ! > ! > !**** > > ! > ! > ! > redundancy > ! > ! > ! > ! > ! > --More-- ! > crypto ipsec client ezvpn ASA > connect acl 105 > group aooman key hlg2oma@vpn > mode network-extension > peer 213.42.108.130 > username hlgoman password us@hlom > xauth userid mode local > ! > ! > ! > ! > ! > interface GigabitEthernet0/0 > ip address 10.10.10.1 255.255.255.0 > ip access-group 100 out > ip nat inside > ip virtual-reassembly > duplex auto > speed auto > crypto ipsec client ezvpn ASA inside > ! > ! > --More-- interface GigabitEthernet0/1 > no ip address > duplex auto > speed auto > pppoe enable group global > pppoe-client dial-pool-number 1 > no cdp enable > ! > ! > interface GigabitEthernet0/2 > no ip address > shutdown > duplex auto > speed auto > ! > ! > interface Dialer0 > no ip address > ! > ! > interface Dialer1 > ip address negotiated > ip access-group 101 in > --More-- ip mtu 1492 > ip nat outside > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp authentication chap pap callin > ppp chap hostname hlgoman > ppp chap password 7 15160D1A503A797C2E > ppp pap sent-username hlgoman password 7 06020937185E5B410357 > ppp ipcp dns request accept > ppp ipcp route default > ppp ipcp address accept > ! > ! > ip forward-protocol nd > ! > no ip http server > no ip http secure-server > ! > ip nat inside source route-map nonat interface Dialer1 overload > ip route 0.0.0.0 0.0.0.0 Dialer1 > --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 > ip route 172.23.2.0 255.255.255.0 10.10.10.2 > ! > ip access-list extended VPN_ACCESS > deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 > deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 > deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 > permit ip 172.23.1..0 0.0.0.255 any > > permit ip 172.23.2.0 0.0.0.255 any > permit ip 10.10.10.0 0.0.0.255 any > ! > access-list 10 permit 172.23.2.0 0.0.0.255 > access-list 10 permit 172.23.1.0 0.0.0.255 > access-list 10 permit 10.10.10.0 0.0.0.255 > access-list 100 permit ip any any > access-list 101 permit ip any any > access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 > access-list 106 permit ip 172.23.1.0 0.0.0.255 any > access-list 106 permit ip 172.23.2.0 0.0.0.255 any > access-list 106 permit ip 10.10.10.0 0.0.0.255 any > dialer-list 1 protocol ip permit > ! > ! > ! > ! > route-map EVPN permit 1 > match ip address 105 > ! > route-map nonat permit 10 > match ip address VPN_ACCESS > ! > ! > ! > control-plane > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > password 7 07062C584F0A485744 > login > ! > scheduler allocate 20000 1000 > --More-- end**** > > Router#**** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** > > ** ** >
<<image005.jpg>>
<<image003.jpg>>
<<image001.jpg>>
<<image004.jpg>>
<<image002.jpg>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
