Client VPN routing problem

Answered Question
Jun 24th, 2008
User Badges:

I am trying to setup vpn client software ver 5.0 for remote users to connect to the lan behind an 1801.


I can get the client saying its connected but traffic doesn't flow apart from:

when i try to ping a 192.168.2.x address behind the 1801 i get a response from the public ip but then when i try to ping another address i get no response.

I am assuming that the issue is NAT related.


Below is my config, your help is apprecited


service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname C######

!

boot-start-marker

boot-end-marker

!

enable password 7 #######

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

!

ip cef

!

ip domain name ######.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

username admin privilege 15 password 7 ########

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 1801Client

key ##############

dns 192.168.2.251

wins 192.168.2.251

domain #######.local

pool VpnPool

acl 121

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

ip address 87.#.#.# 255.255.255.252

ip access-group 113 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

interface FastEthernet8

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface Vlan1

ip address 192.168.2.245 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool VpnPool 192.168.3.200 192.168.3.210

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 87.#.#.#

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.2.251 25 87.#.#.# 25 extendable

Several similar to above line with diferent ports

!

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 113 permit tcp host 82.#.#.# host 87.#.#.# eq 22

access-list 113 permit tcp 84.#.#.# 0.0.0.3 host 87.#.#.# eq 22

access-list 113 permit tcp host 79.#.#.# host 87.#.#.# eq 22

access-list 113 deny tcp any any eq 22

access-list 113 permit tcp host 82.#.#.# host 87.#.#.# eq telnet

access-list 113 permit tcp 84.#.#.# 0.0.0.3 host 87.#.#.# eq telnet

access-list 113 permit tcp host 79.#.#.# host 87.#.#.# eq telnet

access-list 113 deny tcp any any eq telnet

access-list 113 permit ip any any

access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 121 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input telnet ssh

!

end

Correct Answer by michael.leblanc about 8 years 11 months ago

You have more than just a NAT issue.


crypto dynamic-map dynmap 10

set transform-set myset

reverse-route


Note: Reverse-route injection needed to provision a return path.



access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255


Note: The second ACE in the split-tunneling ACL is unnecessary.


Correct Answer by Marwan ALshawi about 8 years 11 months ago

you need to exmpt the client pool IP address from the NAT

by either denying them in access list 1

or make route map that point to loopback address as a next hop for any packet destent to your pool to avoid the nat

first try to put this entry in your access-lst 110

access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit 192.168.2.0 0.0.0.255 any

route-map nonat pemit 10

match ip address 110


remove ur old nat and put the following one


ip nat inside source route-map nonat interface fastethernet0 overload




rate if helpful

and let me know, good luck


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marwan ALshawi Tue, 06/24/2008 - 04:15
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

you need to exmpt the client pool IP address from the NAT

by either denying them in access list 1

or make route map that point to loopback address as a next hop for any packet destent to your pool to avoid the nat

first try to put this entry in your access-lst 110

access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit 192.168.2.0 0.0.0.255 any

route-map nonat pemit 10

match ip address 110


remove ur old nat and put the following one


ip nat inside source route-map nonat interface fastethernet0 overload




rate if helpful

and let me know, good luck


IainTrade Tue, 06/24/2008 - 09:08
User Badges:

Thank you very much for your help, really appreciated the fast responses.


Cheers Gents.


Correct Answer
michael.leblanc Tue, 06/24/2008 - 07:31
User Badges:
  • Silver, 250 points or more

You have more than just a NAT issue.


crypto dynamic-map dynmap 10

set transform-set myset

reverse-route


Note: Reverse-route injection needed to provision a return path.



access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255


Note: The second ACE in the split-tunneling ACL is unnecessary.


Actions

This Discussion