Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Internal Network Access Problem

Hi,

I have just set up a remote access ipsec vpn server on my cisco 887 and am experiencing an issue and was wondering if anyone would be able to help.

I can get connected to the VPN ok through the Cisco VPN client but I am unable  to access the internal network. I get an IP address from the VPN pool in the 192.168.10.0 range. I am unable to ping or access the router or any other devices on the 192.168.1.0 network.

I'm sure I have just made a simple mistake as this is the first VPN I have set up. Any help would be greatly appreciated.

I have attached my config to this post

Thanks

Chris

6 REPLIES

Internal Network Access Problem

Hi there,

Please remove this ACL one highlighted below.
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload


Now create a new ACL.

ip access-list extended PAT_ACL
deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any


ip nat inside source list PAT_ACL interface Dialer0 overload

Let me know, if this helps

thanks

Rizwan Rafeek

Internal Network Access Problem

FYI...

Last note, please be sure to do this from inside the network or ssh/telnet to public address because when you remove both highlighted lines above, you will be disconnected all xlates.

Thanks

Rizwan Rafeek

Community Member

Internal Network Access Problem

Hi Rizwan,

Thanks for the reply. I applied your suggested fix but no joy. Thanks for the warning about kicking myself out,  I read through the comands and thought that might happen.

Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?

Thanks
Chris

Re: Internal Network Access Problem

"Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?"

Answer is no.

Try to apply the solution I suggest by temporally removing the Zone-Base Firewall and it should work and when it is working you know for sure that your ZBF is cause the problem and so trying to customize ZBF as per your need.

Hope that helps.

Thanks

Rizwan Rafeek

Community Member

Re: Internal Network Access Problem

Do you know if there is an easy way to disable the firewall without removing all my firewall config?

Re: Internal Network Access Problem

Please remove three highlighted lines from three of your interfaces on the router.

interface Dialer0
  zone-member security out-zone

interface Vlan2
  zone-member security in-zone

interface Virtual-Template2 type tunnel
zone-member security vpn-zone

Lastly, if you have layer3 switch please make sure, you have a static-route in place on the inside switch as shown below.

ip route 192.168.10.0 255.255.255.0 192.168.1.1

If you do not have a layer3 switch inside your network, then do not worry about the static route.

thanks

Please rate helpful post.

thanks

Rizwan Rafeek

353
Views
0
Helpful
6
Replies
CreatePlease to create content