Using a 2811 ona router with 3 serial interfaces. I configured VPN on interface 0/2/0. The vpn pool is on subnet 172.16.5.0/24. All my servers are on 172.16.1.0/24. If Itry to connect internally between the 2 subnets it works fine. However when I try from a remote location using Cisco VPN client I am unable to get to anything after the VPN connection is established
I see 2 things that must be changed on your config.
First, you are using a pool that falls within the LAN range, 172.16.5.0/25 (Fa0/0) being a class C /24 subnet covers the pool range and it thinks it has that ip range directly connected via that interface, I would use a different range instead.
Second, you are missing the No Nat statements bypassing the return vpn traffic from being NATed.
Once you have defined a different range for the pool go ahead and make the needed nat changes that should look like this:
ip access-list ext nonat
deny ip 172.16.1.0 0.0.0.255
deny ip 172.16.5.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any
permit ip 172.16.4.0 0.0.0.255 any
ip nat inside source list nonat pool capturet overload
You would need to figure out your nats the way you need them, however the nat bypass is required for vpn traffic
I configured the NAT pool range on 172.16.6.0/24 and created the access list as shown above.
However after I connect VPN my IP config for the VPN client interface is:
What went wrong?
OK, thanks, you left those lines there:
ip nat inside source list 12 pool capturet overload
ip nat inside source list 13 pool capturevpn overload
These are overriding the nat you define after.
I will remove these later on. What are the implications if I remove these lines. Do I have to reconfigure the way I do the NAT?
when using vpn yes, you have to reconfigure the way you use nat, as I explained at earlier, vpn clients need to bypass nat, with the standard setup you have you will always nat the reply back from the internal and this is not what you need, at least not for the vpn, implications well you will need to refresh your nat tables (clear then) to be able to remove those, but since you have another nat rule that covers the same set of networks/nat rules it should not cause any major downtime.
I tried it with the same results. I can connect VPN. after I connect I get the following configuration on from the ipconfig/all
I attached the new configuration