cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
8
Helpful
4
Replies

Cannot SSH to Router public IP after implementing VPN split tunnel

ciscoguru01
Level 1
Level 1

All access lists are in place on the VTY's. I am pretty sure it is the IP NAT OUTSIDE on the interface going to the Internet. Do i need to setup and ACL or policy routing to get this to authenticate. I can see the hits on the ACL when I try to connect. I am also seeing the proper source and Destinations when doing an DEBUG IP PACKET referencing an access-list.

<br />

<br />Thanks in advance,

<br />

<br />

<br />

<br />

<br />

<br />1) VPN.txt

<br />

4 Replies 4

Mohamed Sobair
Level 7
Level 7

Hi,

Your VPN ISAKMP poliocy, you mikssed setting the Peer and the hash Algorithm used to hash the key with.

Without setting the Peer, The VPN cant negotiate ISAKMP peer Security Association.

HTH

Mohamed

Sorry if the desc wasn't clear enough, this is a remote access VPN using Cisco's Client. I can VPN into the router, i can surf the Internet and I can access the remote network on the 10's. Everything seems to be working OK while connected except that I cannot SSH or telnet to the Router.

Bradley

In your original post you indicate that you think that the problem with SSH or telnet access is related to NAT and I believe that you are correct in this. I believe that the issue is in the access list which controls the translation. Here is what is configured:

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip any any

I have seen problems with remote access to routers when the access list for translation includes permit any any. I suggest that you find a way to rewrite the access list and not use any any.

HTH

Rick

HTH

Rick

You are correct sir!! Changed config to;

VPN(config)#$ 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

VPN(config)#access-list 111 permit ip 192.168.1.0 0.0.0.20 any

VPN(config)#access-list 111 permit ip 10.10.10.0 0.0.0.255 any

Everything works great, Thanks for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: