cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1609
Views
0
Helpful
5
Replies

cisco vpn client to cisco router 880 - Private ip not responding only public ip

Ranbeckycr_2
Level 1
Level 1

Experts,


I have an interesting issue, I am able to authenticate and connect my cisco vpn client to my Cisco880K9 router.


My internal network is: 10.10.1.0

My VPN IP Pool is: 10.10.2.2-10.10.2.250

My external Public ip address is: 192.198.46.14


When I connect with my vpn client I get my vpn pool address 10.10.2.2.

IF I ping my server 10.10.1.2  I get a response from my public IP Address.


Example:

Pinging 10.10.1.2 with 32 bytes of data:

Reply from 192.198.46.14: bytes=32 time=45ms TTL=127

Reply from 192.198.46.14: bytes=32 time=50ms TTL=127

Reply from 192.198.46.14: bytes=32 time=42ms TTL=127

Reply from 192.198.46.14: bytes=32 time=45ms TTL=127


I am attaching my configuration file. It is pretty much a copy from the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Thanks for the help

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Please kindly configure NAT exemption as follows:

access-list 120 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 120 permit ip 10.10.1.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

no ip nat inside source list 1 interface FastEthernet4 overload

Then clear the translation: clear ip nat trans *

View solution in original post

The reason why you can't remote desktop is because you have configured the following static PAT statement that unfortunately take precedence over your NAT exemption:

ip nat inside source static tcp 10.10.1.2 3389 192.198.46.14 3389 extendable

Do you require RDP with the public IP? if you don't and only require RDP via VPN, then please take the static PAT statement out, and RDP via VPN will work.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Please kindly configure NAT exemption as follows:

access-list 120 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 120 permit ip 10.10.1.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

no ip nat inside source list 1 interface FastEthernet4 overload

Then clear the translation: clear ip nat trans *

Jennifer, thank you very much for the tip, I will schedule the downtime and try this configuration.

Jennifer,

Thanks for your help, I can now ping the private ip address with the acl that you have provided.

My only problem at this moment is that I can not remote desktop to the server,any ideas?

Remote desktop does work if I do it from the local lan.

The reason why you can't remote desktop is because you have configured the following static PAT statement that unfortunately take precedence over your NAT exemption:

ip nat inside source static tcp 10.10.1.2 3389 192.198.46.14 3389 extendable

Do you require RDP with the public IP? if you don't and only require RDP via VPN, then please take the static PAT statement out, and RDP via VPN will work.

Jennifer, I have to say that you know what you are talking about!  Thanks a bunch!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: