Why I can not ping the internal network?

Answered Question
Dec 9th, 2009

I have configured a VPN remote access. I can log into my username and password, but I can not ping any computer on the internal network. please helpme...the configuration the router is:


sh run.

aaa new-model

aaa authentication login VPN local

aaa authorization network VPN local


username vpnuser password 0 vpnpass

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group HOME

key 123456!

dns 10.10.10.2

pool VPN-D

include-local-lan

!

crypto ipsec transform-set TEST esp-des esp-md5-hmac

!

crypto dynamic-map VPNS 1

set transform-set TEST

reverse-route

!

crypto map VPNSS client authentication list VPN

crypto map VPNSS isakmp authorization list VPN

crypto map VPNSS client configuration address respond

crypto map VPNSS 1 ipsec-isakmp dynamic VPNS

!

interface FastEthernet0/0

description ==> Link to ISP <==

ip address dhcp

ip nat outside

crypto map VPNSS

!

interface FastEthernet0/1

description ==> Red Lan <==

ip address 192.168.1.1 255.255.255.0

ip nat inside


ip local pool VPN-D 192.168.20.1 192.168.20.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

Correct Answer by Laurent Aubert about 7 years 2 months ago

Hi,


I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:



ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!


The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html


HTH


Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Laurent Aubert Wed, 12/09/2009 - 20:42

Hi,


I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:



ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!


The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html


HTH


Laurent.

Actions

This Discussion