Unable to ping hosts via VPN client when static NAT translations are used
Greetings, i have a 3825 ISR configured for Cisco VPN client access.
There are also several hosts on the internal network that have one-one static NAT translations for externally facing services.
Everything is working as expected with the exception that i cannot ping hosts on the internal network once connected via the VPN client whos internal IP addresses have static NAT translations to outside public addresses, i can ping any host that doesnt have static NAT translation.
For example, in the example below i cant ping 192.168.1.1 and 192.168.1.2 but i can ping the internal interface of the router and any other active host on the LAN, i can ping all hosts from the router itself.
Any help would be appreciated.
crypto logging session
crypto isakmp policy 10
crypto isakmp client configuration group vpnclient
Re: Unable to ping hosts via VPN client when static NAT translat
first of all, I would suggest you not to parse your VPN Key on a public forum (you can edit your post).
Secondly, you make a mistake in your route-map/nat configuration. Here, you will only nat traffic for 192.168.1.0 network.
Your config should look like this:
access-list 199 remark *** NAT DENY ACL *** access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 200 remark *** NAT PERMIT ACL *** access-list 200 permit ip 192.168.0.0 0.0.255.255 any
route-map noNat deny 10 match ip address 199
route-map noNat permit 20 match ip address 200
Note that the permit statement in the ACL is used only to "match" the traffic, then it will be denied by the route-map. If you deny in the route map a denied traffic in the ACL, it's like denying unmatched traffic, which will basically allow it.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...