VPN problem

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi everybody...


I'm try to setup a VPN server using a 3662. I would like to be able to
connect to the VPN server using the cisco VPN client. I would also like the
router to do NAT for the local LAN. Currently I can only do one at a time.
If I disable the inside nat translation ( no ip nat inside source list NAT
interface FastEthernet0/0 overload) my VPN client can talk to the LAN but my
lan pc can't get to the Internet. If I enable NAT my lan pcs can get to the
Internet but the VPN client cannot get to the LAN. Here is my config....


Current configuration : 2440 bytes
!
! Last configuration change at 23:01:55 AKST Tue Jan 16 2007
! NVRAM config last updated at 23:09:33 AKST Tue Jan 16 2007 by ljones
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3662-1
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone AKST -9
clock summer-time AKST recurring
ip subnet-zero
!
!
ip cef
!
!
!
!
!
username me privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNgroup
 key cisco
 dns 192.168.1.3 192.168.1.2
 wins 192.168.1.2
 domain bluphisolutions.com
 pool VPNpool

crypto isakmp profile VPNclient
   match identity group VPNgroup
   client authentication list clientauth
   isakmp authorization list groupauth
   client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DynVPNmap 5
 set transform-set ESP-3DES-SHA
 set isakmp-profile VPNclient
!
!
crypto map VPNmap 1 ipsec-isakmp dynamic DynVPNmap
!
!
!
!
!
interface Loopback0
 ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
 description WAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPNmap
!
interface FastEthernet0/1
 description LAN
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
ip local pool VPNpool 192.168.10.2 192.168.10.254
ip http server
no ip http secure-server
ip classless
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
logging facility syslog
logging 192.168.1.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 logging synchronous
!
ntp clock-period 17179883
ntp server 192.43.244.18
!
end



Re: VPN problem

Quoted text here. Click to load it

you need to remove the 192.168.10.0 statement in your NAT ACL, it should not
be there.



Re: VPN problem
ok I figured it out...I need to to use split tunneling
Quoted text here. Click to load it



Site Timeline