Cisco Support Community
Community Member

Can't get VPN to work - firewall issue?

Hi, I'm trying to configure an 837k9 as a dial in VPN device. The clients can connect sucessfully and ping devices on the LAN (192.168.1.x). However they can't do anything else - such as browse shared files on the server and connect to network drives. Can anyone tell me where I'm going wrong? I also can't telnet to ports 25 or 110 on the server. The server is on

Any help is greatly appreciated. If you need more info please let me know. I have attached the config.


Community Member

Re: Can't get VPN to work - firewall issue?

Don't worry I've solved this. I needed to excluded LAN-LAN traffic from NAT. Removing the access lists 101 and 102 and adding the below fixed it....

access-list 101 permit ip

access-list 102 deny ip

access-list 102 permit ip any

Cisco Employee

Re: Can't get VPN to work - firewall issue?


The static NAT on IOS takes precedence over all other NAT statements unlike PIX.

So, in order to exempt the VPN traffic from static NAT, you havr to use PBR (Policy Based Routing) as this is the only way to get this to work.

Follow these steps:

1: Create a loopback interface :

int loopback 1

ip address


2: Create an ACL to identify the tunnel traffic :

access-list 122 permit ip

3: Create a route map for policy routing:

route-map policy permit 10

match ip address 122

set interface loopback 1


4: Apply the route map to the LAN interface :

interface Ethernet0

ip policy route-map policy


That should do it!!

*You can not do it with "ip nat inside source list....." command because static NAT takes precednce over this statement.

Let me know if you have some questions regarding this.



CreatePlease to create content