VPN client connects but no Internal LAN access or Ping

Answered Question
Sep 7th, 2010
User Badges:

Hello All.


I am new to this forum and kindly asking for your help because I am stuck.


I have a cisco 877 ADSL router that I configured, Easy VPN server.
Now the Cisco VPN client ver 5.0 connects successfully to the VPN server, but when you try to ping/access the Internal LAN computers, there is no response.


The configuration is below. Please advise where I went wrong or what I have missed out.
[code]


Building configuration...


Current configuration : 4574 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$86dn$J8HrK9kCQ8G9aPAm6xe4o1
enable password 7 13151601181B54382F
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login internal_affairs_vpn_1 local
aaa authorization exec default local
aaa authorization network internal_affairs_vpn_group_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2122144568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2122144568
revocation-check none
rsakeypair TP-self-signed-2122144568
!
!
crypto pki certificate chain TP-self-signed-2122144568
certificate self-signed 03
  30820248 308201B1 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313232 31343435 3638301E 170D3032 30333032 32303537
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31323231
  34343536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
  F495E5A9 8D012B0E 73EA7639 3B586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
  4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
  D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
  30A50203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
  551D1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D23
  04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
  0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A8648
  86F70D01 01040500 03818100 A1026DDC C91CAEB2 950CA920 3C62AF92 D6B25EB2
  313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
  E2CF2950 95951862 26974F4A 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
  33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
  9142DD9E B6E9D74A 899A9653
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool dhcplan
   network 10.0.0.0 255.0.0.0
   dns-server 196.0.50.50 81.199.21.94
   default-router 10.10.10.1
   lease 7
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 81.199.21.94
!
!
!
username vpn password 7 095A5E07
username fred privilege 15 password 7 1411000E08
username ciscovpn password 7 01100F175804101F2F
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group internal_affairs_vpn
key ******
dns 196.0.50.50 81.199.21.94
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map internal_affairs_DYNMAP_1 10
set transform-set myset
reverse-route
!
!
crypto map internal_affairs_CMAP_1 client authentication list internal_affairs_vpn
crypto map internal_affairs_CMAP_1 isakmp authorization list internal_affairs_vpn_group_1
crypto map internal_affairs_CMAP_1 client configuration address respond
crypto map internal_affairs_CMAP_1 10 ipsec-isakmp dynamic internal_affairs_DYNMAP_1
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface ATM0
no ip address
atm vc-per-vp 512
no atm ilmi-keepalive
pvc 0/32
  encapsulation aal5snap
  protocol ip inarp
!
dsl operating-mode auto
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description local lan interface
ip address 10.10.10.1 255.0.0.0
ip nat inside
ip virtual-reassembly
!
interface BVI1
description internet interface
ip address 197.0.4.174 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map internal_affairs_CMAP_1
!
ip local pool ippool 192.168.192.1 192.168.192.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.0.4.173
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface BVI1 overload
ip nat inside source static tcp 2.2.2.2 23 interface BVI1 23
!
ip access-list extended NAT
permit ip any any
!
access-list 108 permit ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 0216054818115F3348
no modem enable
line aux 0
line vty 0 4
password 7 06160E325F59590B01
!
scheduler max-task-time 5000
end

Correct Answer by Federico Coto F... about 6 years 10 months ago

Since it is a named ACL, you should modify it in ACL configuration mode:


ip access-list extended NAT


Then, do the modifications.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 09/07/2010 - 13:28
User Badges:
  • Green, 3000 points or more

Hi,


You have a permit ip any any on the ACL for NAT.


The VPN traffic should be exempt from NAT:


access-list NAT deny ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255

access-list NAT permit ip 10.0.0.0 0.255.255.255 any


Federico.

kwebihaf2010 Tue, 09/07/2010 - 13:41
User Badges:

Hello Federico.


This is the error, the Router returns



INTERNAL_AFFAIRS(config)#access-list NAT deny ip 10.0.0.0 0.255.255.255 192.16$
access-list NAT deny ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
            ^
% Invalid input detected at '^' marker.



What could be wrong?


Thanks in advance for your help.

Correct Answer
Federico Coto F... Tue, 09/07/2010 - 13:43
User Badges:
  • Green, 3000 points or more

Since it is a named ACL, you should modify it in ACL configuration mode:


ip access-list extended NAT


Then, do the modifications.


Federico.

kwebihaf2010 Tue, 09/07/2010 - 13:49
User Badges:

Hello Federico.


I solved the Problem by deleting the Source list NAT


command=no ip nat inside source list NAT interface BVI1 overload

Dynamic mapping in use, do you want to delete all entries? [no]: yes


Thanks alot for the hint, Federico.


God bless you.

Actions

This Discussion