1. Home
  2. Cisco Systems
  3. EZVPN Server - clients connect but cannot pass traffic..

EZVPN Server - clients connect but cannot pass traffic..

Hi,

I've stared at this for too long and need a fresh set of eyes to hopefully point me in the right direction. This router is performing PAT for internet access and I'm trying to enable it as an EZVPN server. Using the VPN client, I'm able to connect and bring up the tunnel. However, once I'm in, I cannot pass traffic nor ping the router LAN interface (on same subnet). Any thoughts?

Thanks for your help, Spencer Teran

version 12.3 no parser cache service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname igw ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret xxx ! username xxx password xxx username zzz password zzz aaa new-model ! ! aaa authorization network biotxvpn local aaa session-id common ip subnet-zero no ip source-route ip cef ! ! no ip domain lookup ip domain name blah.blah ip name-server public.ip ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local dynpool ! crypto isakmp client configuration group biotxvpn key password dns 192.168.0.11 wins 192.168.0.11 domain same.as.internal.hosts pool dynpool ! ! crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac ! ! crypto dynamic-map dynmap 1 set transform-set transform-1 reverse-route ! ! ! crypto map dynmap isakmp authorization list biotxvpn crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! ! ! ! interface Loopback0 ip address 209.x.x.x 255.255.255.255 ip nat outside crypto map dynmap ! interface FastEthernet0/0 description Ethernet LAN ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto crypto map dynmap ! interface Serial0/0 description Internet WAN ip address 10.0.36.170 255.255.255.252 ip nat outside encapsulation ppp no fair-queue service-module t1 timeslots 1-24 crypto map dynmap ! ip local pool dynpool 192.168.0.100 192.168.0.120 ip nat inside source list 1 interface Loopback0 overload ip nat inside source static tcp 192.168.0.68 80 209.z.z.z 80 extendable no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! access-list 1 permit 192.168.0.0 0.0.0.255 no cdp run ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 exec-timeout 0 0 password xxx ! ! ! end

Reply to
steran
Loading thread data ...

I think you have to add the command "acl" under the definition of "crypto isakmp client configuration group biotxvpn".

Smth like:

crypto isakmp client configuration group biotxvpn key password dns 192.168.0.11 wins 192.168.0.11 domain same.as.internal.hosts pool dynpool acl vpn_routes

ip access-list extended vpn_routes permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

You may have to adjust vpn_routes so that it is appropriate for your VPN permission.

DT

Reply to
dt1649651

Hi DT,

Thanks for your reply. Adding the ACL command under the isakmp client config allows you to specify networks to encrypt (for split tunnel). Without that ACL, the all traffic gets passed through the tunnel. The problem ended up being that the NAT was translating the VPN traffic as well. I ended up modifying the NAT ACL to deny traffic from the VPN chunk from getting translated.

Thanks, Spencer Teran

snipped-for-privacy@yahoo.com wrote:

Reply to
Spencer Teran

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.