Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can't Access LAN - VPN 880 Router

When VPN established I can Ping the Router but no other device on the network.  From the Router I can ping all devices including my laptop that is connected. 

Here is the config......What am I missing?  This is probably about the 100th one I have setup and no issues before and I have gone as far as using CCP to configure it and still no LAN access.  I have gone line by line of other backup configs that I have for other same setups.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.2

ip dhcp excluded-address 192.168.0.190 192.168.0.200

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.0.0 255.255.255.0

   dns-server 216.x.x.x 216.x.x.x

   default-router 192.168.0.1

ip tcp synwait-time 10

no ip bootp server

ip domain name xxxx.com

ip name-server 216.x.x.x

ip name-server 216.x.x.x

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-2756617961

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2756617961

revocation-check none

rsakeypair TP-self-signed-2756617961

!

!

crypto pki certificate chain TP-self-signed-2756617961

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32373536 36313739 3631301E 1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

username xxxxx privilege 15 secret 5 xxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxx

key xxxxx

dns 216.x.x.x 216.x.x.x

pool SDM_POOL_2

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group xxxxx

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 4

!

!

crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set xxxxx

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 216.x.x.x. secondary

ip address 216.x.x.x 255.255.255.128

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Virtual-Template4 type tunnel

ip unnumbered FastEthernet4

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1100

!

ip local pool SDM_POOL_2 192.168.0.190 192.168.0.200

ip classless

ip route 0.0.0.0 0.0.0.0 216.x.x.x

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 100 deny   ip any host 192.168.0.190

access-list 100 deny   ip any host 192.168.0.191

access-list 100 deny   ip any host 192.168.0.192

access-list 100 deny   ip any host 192.168.0.193

access-list 100 deny   ip any host 192.168.0.194

access-list 100 deny   ip any host 192.168.0.195

access-list 100 deny   ip any host 192.168.0.196

access-list 100 deny   ip any host 192.168.0.197

access-list 100 deny   ip any host 192.168.0.198

access-list 100 deny   ip any host 192.168.0.199

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 100

Thank you

Gabrielle

8 REPLIES
Silver

Re: Can't Access LAN - VPN 880 Router

Should ACL 100 entries be flipped around?  You have ip any host 192.168.0.19x, which are the devices you don't want to NAT.  But they are listed as destinations, not sources.  So all 192.168.0.0/24 is NAT'd.

access-list 100 deny   ip any host 192.168.0.190

access-list 100 deny   ip any host 192.168.0.191

access-list 100 deny   ip any host 192.168.0.192

access-list 100 deny   ip any host 192.168.0.193

access-list 100 deny   ip any host 192.168.0.194

access-list 100 deny   ip any host 192.168.0.195

access-list 100 deny   ip any host 192.168.0.196

access-list 100 deny   ip any host 192.168.0.197

access-list 100 deny   ip any host 192.168.0.198

access-list 100 deny   ip any host 192.168.0.199

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Community Member

Re: Can't Access LAN - VPN 880 Router

So you are saying

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny   ip any host 192.168.0.190

access-list 100 deny   ip any host 192.168.0.191

access-list 100 deny   ip any host 192.168.0.192

access-list 100 deny   ip any host 192.168.0.193

access-list 100 deny   ip any host 192.168.0.194

access-list 100 deny   ip any host 192.168.0.195

access-list 100 deny   ip any host 192.168.0.196

access-list 100 deny   ip any host 192.168.0.197

access-list 100 deny   ip any host 192.168.0.198

access-list 100 deny   ip any host 192.168.0.199

access-list 100 deny   ip any host 192.168.0.200

No that doesn't work. 

Silver

Re: Can't Access LAN - VPN 880 Router

Sorry for not being clear enough.  It looks like you were trying to exclude the hosts 192.168.0.190 thru 192.168.0.199 from NAT.  I have changed the ACEs to reflect this option.  Otherwise all of 192.168.0.0/24 will be NAT'd.  HTH

access-list 100 deny   ip host 192.168.0.190 any

access-list 100 deny   ip host 192.168.0.191 any

access-list 100 deny   ip host 192.168.0.192 any

access-list 100 deny   ip host 192.168.0.193 any

access-list 100 deny   ip host 192.168.0.194 any

access-list 100 deny   ip host 192.168.0.195 any

access-list 100 deny   ip host 192.168.0.196 any

access-list 100 deny   ip host 192.168.0.197 any

access-list 100 deny   ip host 192.168.0.198 any

access-list 100 deny   ip host 192.168.0.199 any

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Community Member

Re: Can't Access LAN - VPN 880 Router

Thank you but that didn't work either.

All of the other routers I have configured work just fine with the access-list like I have.  I did give it a go but got the same results as before.

Silver

Re: Can't Access LAN - VPN 880 Router

I notice that you are using the same address space for your VPN clients as for your inside network.  Are you doing the same at the other 100 sites? 

Community Member

Re: Can't Access LAN - VPN 880 Router

Yes I am using the same network space on all the others. 

Silver

Re: Can't Access LAN - VPN 880 Router

Could you provide a sanitized listing of your central site VPN device as well as another (working) site's configuration?

Community Member

Re: Can't Access LAN - VPN 880 Router

Sorry I wanted to post my conclusion for this to help others.  I ended up going on site and changing the the NAT information.  I didn't want to do this remotely.  Once I took out the other statements and added the below I was able to access all of the internal servers. 

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source route-map nonat interface FastEthernet4 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 101 deny   ip any host 192.168.0.80

access-list 101 deny   ip any host 192.168.0.81

access-list 101 deny   ip any host 192.168.0.82

access-list 101 deny   ip any host 192.168.0.83

access-list 101 deny   ip any host 192.168.0.84

access-list 101 deny   ip any host 192.168.0.85

no cdp run

route-map nonat permit 10

match ip address 101

315
Views
0
Helpful
8
Replies
CreatePlease to create content