Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 877 VPN access to devices behind the router

Dear Experts,

I have a Cisco 877-SEC-K9 router and I have setup VPN access on this device. I am able to connect to the VPN but I can't ping any of the devices behind the 877 router. THe only thing I can ping is the gateway. However, the reply source that I get is the outside IP address of the device. What should I be looking at to help isolate the cause? I also can't access the internet of the 877 router after I have connected to the VPN.

Thanks in advance.

This is the VPN configuration that I have on my device:

aaa new-model

aaa authentication login userauthen group local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPNREMOTE
key xxxxx
dns 10.10.10.1
wins 10.10.10.1
domain sbp.local
pool ippool

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

ip local pool ippool  10.10.10.100 10.10.10.120


!--- Apply the crypto map on the outside interface.
interface dialer 0
crypto map clientmap

Everyone's tags (2)
5 REPLIES
Cisco Employee

Re: Cisco 877 VPN access to devices behind the router

The ip pool subnet needs to be in different subnet than the LAN/internal subnet if you currently have it configured in the same subnet (10.10.10.0/24).

And secondly, you would need to configure NAT exemption for those VPN traffic.

Hope that helps.

New Member

Re: Cisco 877 VPN access to devices behind the router

Hi Jennifer,

Thanks for the reply. So does that mean I need to create a loopback interface to act as the gateway?

So for example my current internal LAN IP address is the 10.10.10.0/24 network and I create a separate network 10.20.20.0/24

and also for the nat exemption would it be a matter of creating an access list like the following and set nat to 0

access-list remotevpn permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0

and then

nat 0 access-list remotevpn?

Thanks so much in advance.

Wilbur

Cisco Employee

Re: Cisco 877 VPN access to devices behind the router

No, you don't have to create loopback interface. Just create a new ip pool in different subnet than your internal network.

So from your example, if your internal network is 10.10.10.0/24 then ip pool of 10.20.20.0/24 is fine.

You would already have a "ip nat inside source" statement and that statement would either have route-map or access-list assigned to it, right?

On that access-list (needs to be extended ACL if you have standard ACL), it needs to have a deny statement on top of the permit statement:

access-list deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

access-list permit ip 10.10.10.0 0.0.0.255 any

New Member

Re: Cisco 877 VPN access to devices behind the router

So this is what I have in my router but still no luck with pinging from the remote client with ip address 10.20.20.3 to a device behind the 877 on 10.10.10.2

I can ping from the router the 10.20.20.3 and the 10.10.10.2

ip local pool ippool 10.20.20.2 10.20.20.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2

ip nat inside source list 1 pool overload overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.88.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 deny   any
access-list 102 remark Controlled Access (if VPN in place)
access-list 102 permit ip 192.168.88.0 0.0.0.255 any
access-list 102 deny   ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1
match ip address 102

New Member

Re: Cisco 877 VPN access to devices behind the router

Hi all,

I have seen a couple of posts similar to mine all over the net and some in the forums and this is what I did to get my VPN communication behind the device.

on the outside interface add:

no ip proxy-arp

add:

interface Virtual-Template1 type tunnel
description VPN
ip unnumbered
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

Had this -

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

added this:


crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1

make sure you have all of this:

crypto isakmp client configuration group
key [XXXXXXX]
pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
match identity group 

client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1

THe client authen and isakmp author needs to map to


aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local

Then that should be it.

1084
Views
0
Helpful
5
Replies
CreatePlease to create content