Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client users cannot access LAN.

                   Hi,

Hi,

I configured a dynamic vpn(easy vpn) in a cisco isr. But the vpn clients cannot access any of the lan devices. VPN pool is 10.0.0.1- 10.0.0.20 & internal network address is 172.17.x.x.Please help me out.

see my configuration:

Router#sh run

Building configuration...

Current configuration : 12165 bytes

!

! NVRAM config last updated at 10:51:38 UTC Fri Jul 20 2012 by

version 15.1

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

security passwords min-length 6

enable secret xxxxxxxx.

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN-USER-XAUTH local

aaa authorization exec default local

aaa authorization network VPN-GROUP local

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

no ip gratuitous-arps

ip cef

!

!

!

!

!

ip name-server xxxx

ip name-server xxxx

ip name-server xxxx

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-

revocation-check none

rsakeypair TP-self-signed-2049522683

!

crypto pki trustpoint tti

revocation-check crl

!

!

username xxx privilege 15 password xxxx

username xxxxx privilege 15 password xxxxx

username xxxxx password 0 xxxxxx

!

class-map type inspect http match-any HTTP-PORT-MISUSE

match request port-misuse im

match request port-misuse p2p

match req-resp protocol-violation

match request port-misuse tunneling

class-map type inspect match-all ICMP

match access-group name INTERNET-ACL-IT

match protocol icmp

class-map type inspect match-all SMTP

match access-group name INTERNET-ACL-IT

match protocol smtp

class-map type inspect match-all HTTP-ACCESS

match protocol http

match access-group name INTERNET-ACL-IT

class-map type inspect match-all UDP

match access-group name INTERNET-ACL-IT

match protocol udp

class-map type inspect match-all HTTPs-ACCESS

match access-group name INTERNET-ACL-IT

match protocol https

class-map type inspect match-all TCP

match access-group name INTERNET-ACL-IT

match protocol tcp

class-map type inspect match-any tsq-icmp

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all DNS

match access-group name INTERNET-ACL-IT

match protocol dns

class-map type inspect match-all VPN-ACCESS

match access-group 121

class-map type inspect match-all tsq-invalid-src

match access-group 100

class-map type inspect match-all tsq-icmp-access

match class-map tsq-icmp

class-map type inspect match-all POP3

match access-group name INTERNET-ACL-IT

match protocol pop3

!

policy-map type inspect IN-TO-OUT-POLICY

class type inspect HTTP-ACCESS

inspect

class type inspect HTTPs-ACCESS

inspect

class type inspect UDP

inspect

class type inspect TCP

inspect

class type inspect DNS

inspect

class type inspect SMTP

inspect

class type inspect POP3

inspect

class type inspect ICMP

inspect

class type inspect invalid-src

drop log

class class-default

drop log

policy-map type inspect OUT-TO-IN-POLICY

class type inspect VPN-ACCESS

inspect

class class-default

drop

!

zone security INSIDE

zone security OUTSIDE

zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

service-policy type inspect OUT-TO-IN-POLICY

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect IN-TO-OUT-POLICY

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxx

key 6 xxxxxxxx

dns xxxxxxxx

pool VPN-POOL-1

include-local-lan

max-users 20

netmask 255.0.0.0

crypto isakmp profile VPN-IKE-PROFILE

match identity group xxxxxxxx

client authentication list VPN-USER-XAUTH

isakmp authorization list VPN-GROUP

client configuration address respond

virtual-template 2

!

!

crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac

!

crypto ipsec profile VPN-PROFILE-1

set transform-set TRANSFORM-SET

set isakmp-profile VPN-IKE-PROFILE

!

!

interface Embedded-Service-Engine0/0

no ip address

ip mask-reply

ip directed-broadcast

shutdown

!

interface GigabitEthernet0/0

description LAN INTERFACE

ip address 172.17.0.71 255.255.0.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN-INTERNET-INTERFACE

ip address xxxxxxxxx 255.255.252.0

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

ip mask-reply

ip directed-broadcast

shutdown

no fair-queue

clock rate 2000000

!

interface Virtual-Template2 type tunnel

ip unnumbered GigabitEthernet0/0

zone-member security INSIDE

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-PROFILE-1

!

ip local pool VPN-POOL-1 10.0.0.1 10.0.0.30

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 120 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx

ip route 192.168.1.0 255.255.255.0 172.17.x.x

ip route 192.168.4.0 255.255.255.0 172.17.x.x

!

ip access-list extended INTERNET-ACL-IT

permit ip host 172.17.x.x any

permit ip host 172.17.x.x any

permit ip host 172.17.x.x any

permit ip host 172.17.x.x any

permit ip host 172.17.x.x any

!

access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 172.17.0.0 0.0.255.255 any

access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input rlogin ssh

!

scheduler allocate 20000 1000

end

Regards,

Tony

Regards, Tony http://yadhutony.blogspot.com
Everyone's tags (1)
2 REPLIES
New Member

VPN client users cannot access LAN.

Hi,

Try to add the below ACL to your router intead of the existing ACL:-

access-list 103 deny   ip any 10.0.0.0 0.0.0.255

access-list 103 permit ip 172.17.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any

access-list 151 permit ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255

access-list 151 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255

then match the ACL 151 under (crypto isakmp client configuration group xxxxx)

acl 151

Let know if your ploblem solved.

Regards

New Member

VPN client users cannot access LAN.

Hello Ali,

My problem got solved when I attach the interface Virtual-Template2 type tunnel to the OUTSIDE zone.

Anyway thank you for your reply.

Best Regards,

Tony

Regards, Tony http://yadhutony.blogspot.com
536
Views
0
Helpful
2
Replies