I'm trying to setup a Cisco 871 router with a VPN back to the central office. I can connect and disconnect the VPN tunnel, ping the central office from the router, check the crypto and see traffic stats, and can even telnet into switches at the central office. My problem is, none of other workstations attached to the router can access the central office. Furthermore, when the tunnel is up, internet access is gone from the workstations although I have split-tunneling enabled on the Pix 515E.
I think it is NATing issue with the encrypted traffic to the tunnel.
Any help is greatly appreciated.
Central Office: Pix 515E, network IP Address 192.168.0.0
Remote Cisco 871 router, vlan ip address: 10.10.10.0
I have included my "scrubbed” config for your review.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_Name
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3845384769
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3845384769
revocation-check none
rsakeypair TP-self-signed-3845384769
!
!
crypto pki certificate chain TP-self-signed-3845384769
(Seurity coding was here)
quit
dot11 syslog
no ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name My_Domain
dns-server 66.76.227.40
lease 0 2
!
!
ip domain name My_Domain
!
multilink bundle-name authenticated
!
!
username MY_Name privilege 15 secret 5 My_Password
!
!
!
!
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect manual
group My_Group key My_Key
mode client
peer My_Public_IP_Address
virtual-interface 1
xauth userid mode interactive
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 10.10.10.1 255.0.0.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 150 interface FastEthernet4 overload
!
access-list 150 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
I think it is NATing issue with the encrypted traffic to the tunnel.
Any help is greatly appreciated.
Central Office: Pix 515E, network IP Address 192.168.0.0
Remote Cisco 871 router, vlan ip address: 10.10.10.0
I have included my "scrubbed” config for your review.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_Name
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3845384769
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3845384769
revocation-check none
rsakeypair TP-self-signed-3845384769
!
!
crypto pki certificate chain TP-self-signed-3845384769
(Seurity coding was here)
quit
dot11 syslog
no ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name My_Domain
dns-server 66.76.227.40
lease 0 2
!
!
ip domain name My_Domain
!
multilink bundle-name authenticated
!
!
username MY_Name privilege 15 secret 5 My_Password
!
!
!
!
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect manual
group My_Group key My_Key
mode client
peer My_Public_IP_Address
virtual-interface 1
xauth userid mode interactive
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 10.10.10.1 255.0.0.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 150 interface FastEthernet4 overload
!
access-list 150 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end