cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
2
Replies

Why I can not ping the internal network?

Kevin Morales
Level 1
Level 1

I have configured a VPN remote access. I can log into my username and password, but I can not ping any computer on the internal network. please helpme...the configuration the router is:

sh run.

aaa new-model

aaa authentication login VPN local

aaa authorization network VPN local

username vpnuser password 0 vpnpass

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group HOME

key 123456!

dns 10.10.10.2

pool VPN-D

include-local-lan

!

crypto ipsec transform-set TEST esp-des esp-md5-hmac

!

crypto dynamic-map VPNS 1

set transform-set TEST

reverse-route

!

crypto map VPNSS client authentication list VPN

crypto map VPNSS isakmp authorization list VPN

crypto map VPNSS client configuration address respond

crypto map VPNSS 1 ipsec-isakmp dynamic VPNS

!

interface FastEthernet0/0

description ==> Link to ISP <==

ip address dhcp

ip nat outside

crypto map VPNSS

!

interface FastEthernet0/1

description ==> Red Lan <==

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip local pool VPN-D 192.168.20.1 192.168.20.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:

ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Laurent.

View solution in original post

2 Replies 2

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:

ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Laurent.

thankyou four you help!!.. the vpn its work fine!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: