Can't get VPN to work - firewall issue?

Unanswered Question
Feb 24th, 2007

Hi, I'm trying to configure an 837k9 as a dial in VPN device. The clients can connect sucessfully and ping devices on the LAN (192.168.1.x). However they can't do anything else - such as browse shared files on the server and connect to network drives. Can anyone tell me where I'm going wrong? I also can't telnet to ports 25 or 110 on the server. The server is on 192.168.1.2.

Any help is greatly appreciated. If you need more info please let me know. I have attached the config.

-A

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alunemanuel Sat, 02/24/2007 - 04:56

Don't worry I've solved this. I needed to excluded LAN-LAN traffic from NAT. Removing the access lists 101 and 102 and adding the below fixed it....

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

kaachary Sat, 02/24/2007 - 05:16

Hi,

The static NAT on IOS takes precedence over all other NAT statements unlike PIX.

So, in order to exempt the VPN traffic from static NAT, you havr to use PBR (Policy Based Routing) as this is the only way to get this to work.

Follow these steps:

1: Create a loopback interface :

int loopback 1

ip address 1.1.1.1 255.255.255.0

exit

2: Create an ACL to identify the tunnel traffic :

access-list 122 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

3: Create a route map for policy routing:

route-map policy permit 10

match ip address 122

set interface loopback 1

exit

4: Apply the route map to the LAN interface :

interface Ethernet0

ip policy route-map policy

exit

That should do it!!

*You can not do it with "ip nat inside source list....." command because static NAT takes precednce over this statement.

Let me know if you have some questions regarding this.

HTH

-Kanishka

Actions

This Discussion