06-07-2008 05:08 AM - edited 03-03-2019 10:16 PM
Hi ALL
I have configured a Cisco 877 as a VPN server
The remote host can connect to the VPN - but cannot access the LAN
If my virtual tunnel interface is the BVI inteface is the VPN tunnel exiting on to the LAN ?
If thats the case is should be able to ping hosts on the LAN correct?
or do I need to NAT the VPN pool to VLAN 1 on the inside.
Hope that makes sence
Thanks in advance for any help
06-07-2008 05:28 AM
Hi, I think you should send you current config after removing public IPs and passwords.
06-07-2008 06:08 AM
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server ************************8
default-router 10.10.10.1
ip name-server ************
ip name-server **********
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group SolentVPN
key ************
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group SolentVPN
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered BVI1
ip access-group 101 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 ********* transmit-key
encryption mode wep mandatory
!
ssid SolentSound
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address ********************
ip access-group 101 in
no ip redirects
!
ip local pool SDM_POOL_1 192.168.0.1 192.168.0.50
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool VPN 192.168.0.1 192.168.0.50 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended VPN
remark VPN
remark SDM_ACL Category=2
permit ip any any
!
06-07-2008 06:46 AM
Hi,
try:
no interface atm0.1
interface atm0
default ip redirects
default ip unreachables
default ip proxy-arp
default ip route-cache
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Vlan1
ip tcp adjust-mss 1452
interface BVI 1
ip address 10.10.10.1
ip nat inside
interface dialer0
ip nat outside
access-list 1 permit 10.10.10.0 0.0.0.255
The objective is to simplify the configuration removing not needed commands, and get the inside PCs to work on the internet first.
For the PC connected via VPN, you need to decide if you want split-tunnel for it (usually that is the case).
Then you can configure ddns on the router to the VPN always know by DNS to which address it must connecte to.
06-07-2008 07:25 AM
Think you are missing the point I have 20Pc's and a server's all happly talking to the internet.
I have a problem with a VPN tunnel the cannot see LAN on the router
06-07-2008 09:56 AM
The commands mentioned are simplify the configuration, beside the config you posted is missing BVI and complete ACLs so I put them anyway.
Now for the tunnel problem, I think it's missing RRI (set reverse-route under ipsec profile), see:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rev_rte_inject.html
As an appreciation for useful answers, please rate posts using the scrollbox below!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: