Solved: Need help IOS IPsec configuration to allow communication between VPN client

prachaya_k · ‎11-13-2009

Hi, I need help with the IPsec VPN configuration on router 2811. I want to allow communication between VPN clients, is this possible? I know that in ASA you can do this by using command "same-security-traffic permit intra-interface".

The fact is each Client has IP communicator installed but when they tried to make call between each other it failed. I assume this is because the connectivity between them is not ok because of the VPN connection.

Thanks in advance...

mopaul · ‎11-14-2009

Hi ,

Try this :-

ip local pool ippool 192.168.1.1 192.168.1.5

access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1

access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2

access-list 1 permit 10.10.10.0 0.0.0.255

<<< LAN behind the router.

crypto isakmp client configuration group vpnclient

key cisco123

acl 1 <<< binding the acl 1

!

--------Done-------------

If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.

Assuming the NAT statement on your router is

ip nat inside source list 111 interface FastEthernet1/0 overload

!

!--- The access list is used to specify which traffic

!--- is to be translated for the outside Internet.

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Above two statements are exempting the traffic from Nat.

access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.

I would like to know if this worked for you.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

mopaul · ‎11-14-2009

Hi ,

Try this :-

ip local pool ippool 192.168.1.1 192.168.1.5

access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1

access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2

access-list 1 permit 10.10.10.0 0.0.0.255

<<< LAN behind the router.

crypto isakmp client configuration group vpnclient

key cisco123

acl 1 <<< binding the acl 1

!

--------Done-------------

If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.

Assuming the NAT statement on your router is

ip nat inside source list 111 interface FastEthernet1/0 overload

!

!--- The access list is used to specify which traffic

!--- is to be translated for the outside Internet.

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Above two statements are exempting the traffic from Nat.

access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.

I would like to know if this worked for you.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

prachaya_k · ‎11-15-2009

Problem solved, Thank you very much!

mopaul · ‎11-16-2009

You are most welcome.

Have a good day ahead..

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries