Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why I can not ping the internal network?

I have configured a VPN remote access. I can log into my username and password, but I can not ping any computer on the internal network. please helpme...the configuration the router is:

sh run.

aaa new-model

aaa authentication login VPN local

aaa authorization network VPN local

username vpnuser password 0 vpnpass

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group HOME

key 123456!

dns 10.10.10.2

pool VPN-D

include-local-lan

!

crypto ipsec transform-set TEST esp-des esp-md5-hmac

!

crypto dynamic-map VPNS 1

set transform-set TEST

reverse-route

!

crypto map VPNSS client authentication list VPN

crypto map VPNSS isakmp authorization list VPN

crypto map VPNSS client configuration address respond

crypto map VPNSS 1 ipsec-isakmp dynamic VPNS

!

interface FastEthernet0/0

description ==> Link to ISP <==

ip address dhcp

ip nat outside

crypto map VPNSS

!

interface FastEthernet0/1

description ==> Red Lan <==

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip local pool VPN-D 192.168.20.1 192.168.20.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Why I can not ping the internal network?

Hi,

I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:

ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Laurent.

2 REPLIES
Cisco Employee

Re: Why I can not ping the internal network?

Hi,

I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:

ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Laurent.

New Member

Re: Why I can not ping the internal network?

thankyou four you help!!.. the vpn its work fine!!

283
Views
0
Helpful
2
Replies