Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cannot SSH to Router public IP after implementing VPN split tunnel

All access lists are in place on the VTY's. I am pretty sure it is the IP NAT OUTSIDE on the interface going to the Internet. Do i need to setup and ACL or policy routing to get this to authenticate. I can see the hits on the ACL when I try to connect. I am also seeing the proper source and Destinations when doing an DEBUG IP PACKET referencing an access-list.

<br />

<br />Thanks in advance,

<br />

<br />

<br />

<br />

<br />

<br />1) VPN.txt

<br />

4 REPLIES

Re: Cannot SSH to Router public IP after implementing VPN split

Hi,

Your VPN ISAKMP poliocy, you mikssed setting the Peer and the hash Algorithm used to hash the key with.

Without setting the Peer, The VPN cant negotiate ISAKMP peer Security Association.

HTH

Mohamed

Community Member

Re: Cannot SSH to Router public IP after implementing VPN split

Sorry if the desc wasn't clear enough, this is a remote access VPN using Cisco's Client. I can VPN into the router, i can surf the Internet and I can access the remote network on the 10's. Everything seems to be working OK while connected except that I cannot SSH or telnet to the Router.

Hall of Fame Super Gold

Re: Cannot SSH to Router public IP after implementing VPN split

Bradley

In your original post you indicate that you think that the problem with SSH or telnet access is related to NAT and I believe that you are correct in this. I believe that the issue is in the access list which controls the translation. Here is what is configured:

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip any any

I have seen problems with remote access to routers when the access list for translation includes permit any any. I suggest that you find a way to rewrite the access list and not use any any.

HTH

Rick

Community Member

Re: Cannot SSH to Router public IP after implementing VPN split

You are correct sir!! Changed config to;

VPN(config)#$ 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

VPN(config)#access-list 111 permit ip 192.168.1.0 0.0.0.20 any

VPN(config)#access-list 111 permit ip 10.10.10.0 0.0.0.255 any

Everything works great, Thanks for the help.

287
Views
8
Helpful
4
Replies
CreatePlease to create content