Question

Locked

Help Required on IPSEC VPN

By shazinali ·
Dear All,
I have got a site to site IPSEC vpn between a 1841 router and a ASA 5505, the VPN tunnel comes up fine and we are able to send traffic between the two sites with no issues,

I have got an issue where the remote site is not able to access the internet through the same link, i have got nat translations happening for all the non VPN traffic working fine, but the LAN IP's are not able to reach the internet.

I have attached the config below,

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname Remote_Rtr
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.124-25c.bin
boot-end-marker
!
logging buffered 20000 informational
enable secret 5 $1$HpVE$9XOH8U2n2qkqiWnGZCIci1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
clock timezone STT 2
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.70.1.1
ip dhcp excluded-address 10.70.1.254
!
ip dhcp pool Libya_Lan
network 10.70.1.0 255.255.255.0
default-router 10.70.1.1
option 150 ip 172.20.18.2 172.20.18.3
dns-server 208.67.222.222 208.67.220.220
!
!
no ip domain lookup
ip domain name UBI.NET
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username ahli secret 5 $1$BIRe$VksVXryB7ficNdLED9Kyi.
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Ea98Vvj95kqrwy#879vYq%UTbe#pBZ&m2UBCI address X.X.X.X

!
!
crypto ipsec transform-set UBI-AUB esp-3des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
set peer X.X.X.X
set transform-set UBI-AUB
match address UBI_AUB_ACL
!
!
!
!
interface FastEthernet0/0
description connected to LTT Router
ip address X.X.X.X 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map pix
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
spanning-tree portfast
!
interface FastEthernet0/0/1
spanning-tree portfast
!
interface FastEthernet0/0/2
spanning-tree portfast
!
interface FastEthernet0/0/3
spanning-tree portfast
!
interface Vlan1
ip address 10.70.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X (fast eth 0/0)
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
ip access-list extended UBI_AUB_ACL
permit ip 10.70.1.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.70.1.0 0.0.0.255 172.20.0.0 0.0.255.255
permit ip 10.70.1.0 0.0.0.255 172.21.0.0 0.0.255.255
permit ip 10.70.1.0 0.0.0.255 10.16.0.0 0.0.255.255
permit ip 10.70.1.0 0.0.0.255 10.32.0.0 0.0.255.255
permit ip host 10.70.0.2 host 10.70.0.1
permit ip 10.70.1.0 0.0.0.255 172.25.0.0 0.0.255.255
!
access-list 16 remark ACL to restrict SNMP access to Switch
access-list 16 permit 192.168.202.192 0.0.0.63
access-list 16 permit 172.20.13.0 0.0.0.255
access-list 16 permit 10.70.1.0 0.0.0.255
access-list 16 deny any log
access-list 50 remark ACL to permit router NTP Queries
access-list 50 permit 192.168.241.55
access-list 50 permit 192.168.241.54
access-list 110 deny ip 10.70.1.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 110 deny ip 10.70.1.0 0.0.0.255 10.32.0.0 0.0.255.255
access-list 110 deny ip 10.70.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny ip 10.70.1.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 110 deny ip 10.70.1.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 110 deny ip 10.70.1.0 0.0.0.255 172.25.0.0 0.0.255.255
access-list 110 permit ip 10.70.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
line con 0
session-timeout 20 output
exec-timeout 20 0
logging synchronous
line aux 0
exec-timeout 0 10
no exec
line vty 0 4
session-timeout 20 output
access-class 23 in
exec-timeout 20 0
transport input ssh
line vty 5 10
access-class 23 in
exec-timeout 20 0
transport input ssh
line vty 11 15
session-timeout 20 output
access-class 23 in
exec-timeout 20 0
transport input ssh

Any help would be appreciated

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Virtual Private Networks step by step....

Collapse -

Have you tried

by NetMan1958 In reply to Help Required on IPSEC VP ...

running a traceroute from the router itself to an IP on the internet to see how far it get's? If the traceroute from the router is successful then try a tracert from a computer on the LAN. Post back with the results.

Collapse -

what router config are we looking at?

by CG IT In reply to Help Required on IPSEC VP ...

the 1800 or the ASA? and which does what?

remote clients shold be provided a Lan address as well as gateway and DNS servers needed to reach the internet from the interface that provides internet access. Internet access is provided by the remote network, not the local network.

Back to Networks Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums