11-13-2009 10:08 PM - edited 02-21-2020 03:47 AM
Hi, I need help with the IPsec VPN configuration on router 2811. I want to allow communication between VPN clients, is this possible? I know that in ASA you can do this by using command "same-security-traffic permit intra-interface".
The fact is each Client has IP communicator installed but when they tried to make call between each other it failed. I assume this is because the connectivity between them is not ok because of the VPN connection.
Thanks in advance...
Solved! Go to Solution.
11-14-2009 10:43 PM
Hi ,
Try this :-
ip local pool ippool 192.168.1.1 192.168.1.5
access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1
access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2
access-list 1 permit 10.10.10.0 0.0.0.255
<<< LAN behind the router.
crypto isakmp client configuration group vpnclient
key cisco123
acl 1 <<< binding the acl 1
!
--------Done-------------
If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.
Assuming the NAT statement on your router is
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Above two statements are exempting the traffic from Nat.
access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.
I would like to know if this worked for you.
Regards
M
11-14-2009 10:43 PM
Hi ,
Try this :-
ip local pool ippool 192.168.1.1 192.168.1.5
access-list 1 permit host 192.168.1.2 <<< vpn ip addr of client 1
access-list 1 permit host 192.168.1.3 <<< vpn ip addr of client 2
access-list 1 permit 10.10.10.0 0.0.0.255
<<< LAN behind the router.
crypto isakmp client configuration group vpnclient
key cisco123
acl 1 <<< binding the acl 1
!
--------Done-------------
If you are doing NAT on router then you might want to exempt your VPN traffic from being NAt'd.
Assuming the NAT statement on your router is
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Above two statements are exempting the traffic from Nat.
access-list 111 permit ip 10.10.10.0 0.0.0.255 any <<<, permits NAT.
I would like to know if this worked for you.
Regards
M
11-15-2009 08:37 PM
Problem solved, Thank you very much!
11-16-2009 05:01 AM
You are most welcome.
Have a good day ahead..
Regards
M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide