VPN NAT

Unanswered Question
Jun 7th, 2008
User Badges:

Hi ALL


I have configured a Cisco 877 as a VPN server


The remote host can connect to the VPN - but cannot access the LAN


If my virtual tunnel interface is the BVI inteface is the VPN tunnel exiting on to the LAN ?


If thats the case is should be able to ping hosts on the LAN correct?


or do I need to NAT the VPN pool to VLAN 1 on the inside.


Hope that makes sence


Thanks in advance for any help



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Sat, 06/07/2008 - 05:28
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, I think you should send you current config after removing public IPs and passwords.

richard.gosling Sat, 06/07/2008 - 06:08
User Badges:

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool sdm-pool1

import all

network 10.10.10.0 255.255.255.0

dns-server ************************8

default-router 10.10.10.1

ip name-server ************

ip name-server **********

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SolentVPN

key ************

pool SDM_POOL_1

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group SolentVPN

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

bridge irb

!

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered BVI1

ip access-group 101 in

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Dot11Radio0

no ip address

!

encryption key 1 size 40bit 7 ********* transmit-key

encryption mode wep mandatory

!

ssid SolentSound

authentication open

guest-mode

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface Dialer0

description $FW_OUTSIDE$

ip address ********************

ip access-group 101 in

no ip redirects


!

ip local pool SDM_POOL_1 192.168.0.1 192.168.0.50

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool VPN 192.168.0.1 192.168.0.50 netmask 255.255.255.0

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended VPN

remark VPN

remark SDM_ACL Category=2

permit ip any any

!


Paolo Bevilacqua Sat, 06/07/2008 - 06:46
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


try:


no interface atm0.1


interface atm0

default ip redirects

default ip unreachables

default ip proxy-arp

default ip route-cache

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1


interface Vlan1

ip tcp adjust-mss 1452


interface BVI 1

ip address 10.10.10.1

ip nat inside


interface dialer0

ip nat outside


access-list 1 permit 10.10.10.0 0.0.0.255


The objective is to simplify the configuration removing not needed commands, and get the inside PCs to work on the internet first.


For the PC connected via VPN, you need to decide if you want split-tunnel for it (usually that is the case).

Then you can configure ddns on the router to the VPN always know by DNS to which address it must connecte to.





richard.gosling Sat, 06/07/2008 - 07:25
User Badges:

Think you are missing the point I have 20Pc's and a server's all happly talking to the internet.


I have a problem with a VPN tunnel the cannot see LAN on the router

Paolo Bevilacqua Sat, 06/07/2008 - 09:56
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

The commands mentioned are simplify the configuration, beside the config you posted is missing BVI and complete ACLs so I put them anyway.


Now for the tunnel problem, I think it's missing RRI (set reverse-route under ipsec profile), see:


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rev_rte_inject.html


As an appreciation for useful answers, please rate posts using the scrollbox below!

Actions

This Discussion