1. Home
  2. Cisco Systems
  3. VPN terminating on 1841 but cannot route to internal LAN?

VPN terminating on 1841 but cannot route to internal LAN?

Hi All,

I thought i'd start a new post with my conf for both units to see if anyone can point me in the right direction??

LAYOUT ======

INTERNET --> SOHO97 ----> CISCO1841 ------> LAN PC2 FROM 1841 (10.11.121.1)

---> LAN PC1 FROM SOHO (10.11.12.1)

FROM ROUTERS IOS I CAN PING 10.11.12.1 ---> FROM VPN CLIENT WHICH TAKES VPN POOL IP ADDRESS I CANNOT Also running newer Cisco Client App shows VPN client as IP Address from POOL and GATEWAY as the same IP address? Is this normal?

EXTERNAL ROUTER 10.11.12.13 - SOHO97 ====================================== Router is 4 port switch with ADSL WAN ======================================

10.11.12.1 PC PLUGGED INTO THIS ROUTER ======================================

ip nat inside source list 102 interface Dialer1 overload ip nat inside source static esp 10.11.12.14 interface Dialer1 ip nat inside source static udp 10.11.12.14 500 interface Dialer1 500

ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.11.12.3 255.255.255.255 10.11.12.14 ip route 10.11.12.4 255.255.255.255 10.11.12.14 ip route 10.11.12.5 255.255.255.255 10.11.12.14 ip route 10.11.12.14 255.255.255.255 Ethernet0 ip route 10.11.121.15 255.255.255.255 10.11.12.14

I've tried in here: ip route 10.11.12.1 255.255.255.255 Ethernet0 --- but no luck with this

logging 10.11.12.1 access-list 23 permit 10.11.12.0 0.0.0.255 access-list 102 permit ip 10.11.12.0 0.0.0.255 any access-list 102 permit ip 10.11.121.0 0.0.0.255 any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any eq non500-isakmp host 10.11.12.14 eq non500-isakmp access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any time-exceeded access-list 111 deny icmp any any unreachable access-list 111 deny icmp any any echo access-list 111 deny icmp any any administratively-prohibited access-list 111 deny icmp any any packet-too-big access-list 111 deny icmp any any access-list 111 deny ip host 0.0.0.0 any log access-list 111 deny ip 10.0.0.0 0.255.255.255 any log access-list 111 deny ip 127.0.0.0 0.255.255.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 224.0.0.0 31.255.255.255 any log access-list 111 deny ip 255.0.0.0 0.255.255.255 any log access-list 111 deny ip any any log

INTERNAL ROUTER - 1841 ======================================== CISCO ROUTER WITH 2 ETHERNET PORTS ========================================

crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group LAPD key XXXXXXXXXXXX dns XXXXXXXXXXXX pool SDM_POOL_1 include-local-lan max-users 4 max-logins 4 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description OUTSIDE INTERFACE 10.11.12.14 ip address 10.11.12.14 255.255.255.0 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map SDM_CMAP_1

! interface FastEthernet0/1 description INSIDE INTERFACE 10.11.121.15 ip address 10.11.121.15 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled

! ip local pool SDM_POOL_1 10.11.12.3 10.11.12.5 ip route 0.0.0.0 0.0.0.0 10.11.12.13 permanent ip route 10.11.12.1 255.255.255.255 10.11.12.13 !!!!---> by adding this my tracert to 10.11.12.1 from client gets to

10.11.12.13 whereas before it times out after 10.11.12.14 !

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload !

logging trap debugging logging 10.11.12.1

access-list 1 remark ======== HTTPS ACCESS ======== access-list 1 permit 10.11.121.0 0.0.0.255 access-list 1 deny any

access-list 100 remark ======== INSIDE INTERFACE ACL ========= access-list 100 deny ip any host 10.11.12.3 access-list 100 deny ip any host 10.11.12.4 access-list 100 deny ip any host 10.11.12.5 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any

access-list 101 remark ======== OUTSIDE INTERFACE ACL ======== access-list 101 permit esp any host 10.11.12.14 access-list 101 permit ahp any host 10.11.12.14 access-list 101 permit udp any host 10.11.12.14 eq non500-isakmp access-list 101 permit udp any host 10.11.12.14 eq isakmp access-list 101 permit ip host 10.11.12.1 any access-list 101 permit ip host 10.11.12.3 any access-list 101 permit ip host 10.11.12.4 any access-list 101 permit ip host 10.11.12.5 any access-list 101 permit ip host 10.11.12.13 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 permit tcp any eq www any access-list 101 permit tcp any eq 443 any access-list 101 permit udp host XXXXXXXXXX eq domain any access-list 101 permit udp host XXXXXXXXXX eq domain any access-list 101 deny ip 10.11.121.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log

access-list 102 remark ======== TELNET ACCESS ACL ======== access-list 102 permit ip host 10.11.12.3 any access-list 102 permit ip host 10.11.12.4 any access-list 102 permit ip host 10.11.12.5 any access-list 102 permit ip 10.11.121.0 0.0.0.255 any access-list 102 deny ip any any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 100

Any ideas? Steve

Reply to
StevenY
Loading thread data ...

Hi,

first of all , I don't get it....who's doing the VPN ? Cisco 1841 and Soho or behind the Soho you have another VPN machine that does it ?

i think your problem is in your access list for the NAT . you need the deny all nat to the VPN networks so you can reach them .

-
Reply to
nirsh

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.