Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
5
Replies

VPN NAT

richard.gosling
Level 1
Level 1

‎06-07-2008 05:08 AM - edited ‎03-03-2019 10:16 PM

Hi ALL

I have configured a Cisco 877 as a VPN server

The remote host can connect to the VPN - but cannot access the LAN

If my virtual tunnel interface is the BVI inteface is the VPN tunnel exiting on to the LAN ?

If thats the case is should be able to ping hosts on the LAN correct?

or do I need to NAT the VPN pool to VLAN 1 on the inside.

Hope that makes sence

Thanks in advance for any help

Labels:
0 Helpful
5 Replies 5

paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-07-2008 05:28 AM

Hi, I think you should send you current config after removing public IPs and passwords.

0 Helpful

richard.gosling
Level 1
Level 1
In response to paolo bevilacqua

‎06-07-2008 06:08 AM

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool sdm-pool1

import all

network 10.10.10.0 255.255.255.0

dns-server ************************8

default-router 10.10.10.1

ip name-server ************

ip name-server **********

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SolentVPN

key ************

pool SDM_POOL_1

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group SolentVPN

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

bridge irb

!

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered BVI1

ip access-group 101 in

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Dot11Radio0

no ip address

!

encryption key 1 size 40bit 7 ********* transmit-key

encryption mode wep mandatory

!

ssid SolentSound

authentication open

guest-mode

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface Dialer0

description $FW_OUTSIDE$

ip address ********************

ip access-group 101 in

no ip redirects

!

ip local pool SDM_POOL_1 192.168.0.1 192.168.0.50

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool VPN 192.168.0.1 192.168.0.50 netmask 255.255.255.0

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended VPN

remark VPN

remark SDM_ACL Category=2

permit ip any any

!

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to richard.gosling

‎06-07-2008 06:46 AM

Hi,

try:

no interface atm0.1

interface atm0

default ip redirects

default ip unreachables

default ip proxy-arp

default ip route-cache

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface Vlan1

ip tcp adjust-mss 1452

interface BVI 1

ip address 10.10.10.1

ip nat inside

interface dialer0

ip nat outside

access-list 1 permit 10.10.10.0 0.0.0.255

The objective is to simplify the configuration removing not needed commands, and get the inside PCs to work on the internet first.

For the PC connected via VPN, you need to decide if you want split-tunnel for it (usually that is the case).

Then you can configure ddns on the router to the VPN always know by DNS to which address it must connecte to.

0 Helpful

richard.gosling
Level 1
Level 1
In response to paolo bevilacqua

‎06-07-2008 07:25 AM

Think you are missing the point I have 20Pc's and a server's all happly talking to the internet.

I have a problem with a VPN tunnel the cannot see LAN on the router

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to richard.gosling

‎06-07-2008 09:56 AM

The commands mentioned are simplify the configuration, beside the config you posted is missing BVI and complete ACLs so I put them anyway.

Now for the tunnel problem, I think it's missing RRI (set reverse-route under ipsec profile), see:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rev_rte_inject.html

As an appreciation for useful answers, please rate posts using the scrollbox below!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card