03-15-2007 09:09 PM
I have attached a PDF of my basic setup as well as a copy of my config file (2611.txt) on my 2611. The VPN client connects, but no traffic passes through the tunnel. As the end result, I want to be able to have the VPN client get an IP address from the same network (192.168.1.x) as the internal DHCP NAT clients, I want the VPN client to be able to talk to the hosts/servers on the 192.168.1.x network as well as access the internet through my 2611 router (rather than the local gateway). I realize it must be an ACL issue, but I'm having a brain-fart on how to set it up. (the 100 ACL will obviously be changed before I connect the router to my ISP). eth 0/0 is internet eth 0/1 is 192.168.1.x .
Thanks for any help and ideas.
03-16-2007 02:21 AM
Hi,
First of all, the VPN client pool range should not be the same as Internal hosts subnet range. That highly not recommended.
Suppose you chose the client pool as 192.168.2.0/24. For internet traffic of clients to go through the router, and for clients to access 192.168.1.0/24 subnet, following changes need to be done in your config.
1: Create two ACLs
access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
and
access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.2.0 0.0.0.255 any
2: Create a two loopback intf:
int loopback 1
ip address 1.1.1.1 255.255.255.0
exit
int loopback 2
ip address 2.2.2.1 255.255.255.0
ip nat inside
exit
3: Create two route-maps:
route-map polnat permit 10
match ip address 121
set ip next-hop 1.1.1.2
exit
route-map polnat2 permit 10
match ip address 122
set ip next-hop 2.2.2.2
exit
4: Apply the polcices on the LAN and WAN interfaces:
On LAN intf :
interface Ethernet0/1
no ip access-group 101 in
ip policy route-map polnat
exit
On WAN intf :
interface Ethernet0/0
ip policy route-map polnat2
exit
**************************************************************
Complicated though....but that should do it !!
*Please rate if helped.
-Kanishka
03-16-2007 07:27 AM
That works, almost. I can now access the 192.168.1.0/24 hosts through the VPN, however still no internet access through the VPN.
03-16-2007 08:17 AM
Please post the updated running config.
-Kanishka
03-16-2007 11:34 AM
03-16-2007 01:40 PM
Hi,
You also have to add this statement :
access-list 1 permit 192.168.5.0 0.0.0.255
That should do it !
*Please rate if helped.
-Kanishka
05-23-2007 08:56 AM
Hello -
I've tried these instructions on my 515e 6.3.3 using the command line interface in the PDM, and alot of the commands return errors.
I will definitely rate if you can help.
My inside network is 192.168.0.0 and the vpnPool is 192.168.1.0. I can make a connection when I set up using the VPN wizard, but I cannot figure out the nat configuration required to allow my VPN clients to see and be seen by the inside pool.
Can you tell me what's missing?
05-23-2007 09:04 AM
Your nat exemption should look something like this...
access-list nat0 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nat0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: