12-09-2009 02:17 PM
I have configured a VPN remote access. I can log into my username and password, but I can not ping any computer on the internal network. please helpme...the configuration the router is:
sh run.
aaa new-model
aaa authentication login VPN local
aaa authorization network VPN local
username vpnuser password 0 vpnpass
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group HOME
key 123456!
dns 10.10.10.2
pool VPN-D
include-local-lan
!
crypto ipsec transform-set TEST esp-des esp-md5-hmac
!
crypto dynamic-map VPNS 1
set transform-set TEST
reverse-route
!
crypto map VPNSS client authentication list VPN
crypto map VPNSS isakmp authorization list VPN
crypto map VPNSS client configuration address respond
crypto map VPNSS 1 ipsec-isakmp dynamic VPNS
!
interface FastEthernet0/0
description ==> Link to ISP <==
ip address dhcp
ip nat outside
crypto map VPNSS
!
interface FastEthernet0/1
description ==> Red Lan <==
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip local pool VPN-D 192.168.20.1 192.168.20.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
Solved! Go to Solution.
12-09-2009 08:42 PM
Hi,
I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 101
!
The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Laurent.
12-09-2009 08:42 PM
Hi,
I assume you are retrieving an IP address from the pool and the route is available in the routing table of the router. In this case you need to tell the router not to NAT the traffic destinated to the VPN client:
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 101
!
The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Laurent.
12-10-2009 07:28 AM
thankyou four you help!!.. the vpn its work fine!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide