Need help IOS IPsec configuration to allow communication between VPN client

Answered Question
Nov 13th, 2009

Hi, I need help with the IPsec VPN configuration on router 2811. I want to allow communication between VPN clients, is this possible? I know that in ASA you can do this by using command "same-security-traffic permit intra-interface".


The fact is each Client has IP communicator installed but when they tried to make call between each other it failed. I assume this is because the connectivity between them is not ok because of the VPN connection.


Thanks in advance...

Correct Answer by mopaul about 7 years 3 months ago

Hi ,


Try this :-



ip local pool ippool 192.168.1.1 192.168.1.5


access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1

access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2

access-list 1 permit 10.10.10.0 0.0.0.255

<<< LAN behind the router.


crypto isakmp client configuration group vpnclient

key cisco123

acl 1 <<< binding the acl 1

!

--------Done-------------


If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.


Assuming the NAT statement on your router is


ip nat inside source list 111 interface FastEthernet1/0 overload

!


!--- The access list is used to specify which traffic

!--- is to be translated for the outside Internet.


access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255


Above two statements are exempting the traffic from Nat.


access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.


I would like to know if this worked for you.


Regards

M

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mopaul Sat, 11/14/2009 - 22:43

Hi ,


Try this :-



ip local pool ippool 192.168.1.1 192.168.1.5


access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1

access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2

access-list 1 permit 10.10.10.0 0.0.0.255

<<< LAN behind the router.


crypto isakmp client configuration group vpnclient

key cisco123

acl 1 <<< binding the acl 1

!

--------Done-------------


If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.


Assuming the NAT statement on your router is


ip nat inside source list 111 interface FastEthernet1/0 overload

!


!--- The access list is used to specify which traffic

!--- is to be translated for the outside Internet.


access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255


Above two statements are exempting the traffic from Nat.


access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.


I would like to know if this worked for you.


Regards

M

mopaul Mon, 11/16/2009 - 05:01

You are most welcome.


Have a good day ahead..


Regards

M

Actions

This Discussion