Hi all, I know I missing something simple here.
Currently I can connect using Cisco Client to Cisco 1841 Server - I can telnet into the 1841 once on VPN but cannot ping/trace/telnet out to
10.11.12.13Layout wise i have a Soho 97 (10.11.12.13) connected to 0/0 on 1841 (10.11.12.14) with 0/1 (10.11.121.15) connecting to internal LAN switch.
Config below: THANKS for any replies...
crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group LAPD key ********** pool SDM_POOL_1 include-local-lan max-users 4 max-logins 4 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description OUTSIDE INTERFACE 10.11.12.14 ip address 10.11.12.14 255.255.255.0 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description INSIDE INTERFACE 10.11.121.15 ip address 10.11.121.15 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! ip local pool SDM_POOL_1 10.11.12.2 10.11.12.12 ip route 0.0.0.0 0.0.0.0 10.11.12.13 permanent ! no ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload ! logging trap debugging logging 10.11.12.1 access-list 1 remark ======== HTTPS ACCESS ======== access-list 1 permit 10.11.12.0 0.0.0.255 access-list 1 permit 10.11.121.0 0.0.0.255 access-list 1 deny any access-list 100 remark ======== INSIDE INTERFACE ACL ========= access-list 100 deny ip any host 10.11.12.2 access-list 100 deny ip any host 10.11.12.3 access-list 100 deny ip any host 10.11.12.4 access-list 100 deny ip any host 10.11.12.5 access-list 100 deny ip any host 10.11.12.6 access-list 100 deny ip any host 10.11.12.7 access-list 100 deny ip any host 10.11.12.8 access-list 100 deny ip any host 10.11.12.9 access-list 100 deny ip any host 10.11.12.10 access-list 100 deny ip any host 10.11.12.11 access-list 100 deny ip any host 10.11.12.12 access-list 100 deny ip 10.11.12.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark ======== OUTSIDE INTERFACE ACL ======== access-list 101 permit ip host 10.11.12.2 any access-list 101 permit ip host 10.11.12.3 any access-list 101 permit ip host 10.11.12.4 any access-list 101 permit ip host 10.11.12.5 any access-list 101 permit ip host 10.11.12.6 any access-list 101 permit ip host 10.11.12.7 any access-list 101 permit ip host 10.11.12.8 any access-list 101 permit ip host 10.11.12.9 any access-list 101 permit ip host 10.11.12.10 any access-list 101 permit ip host 10.11.12.11 any access-list 101 permit ip host 10.11.12.12 any access-list 101 permit esp any host 10.11.12.14 access-list 101 permit ahp any host 10.11.12.14 access-list 101 permit udp any host 10.11.12.14 eq non500-isakmp access-list 101 permit udp any host 10.11.12.14 eq isakmp access-list 101 permit icmp any host 10.11.12.14 echo-reply access-list 101 permit icmp any host 10.11.12.14 time-exceeded access-list 101 permit icmp any host 10.11.12.14 unreachable access-list 101 deny ip 10.11.121.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark ======== TELNET ACCESS ACL ======== access-list 102 permit ip 10.11.12.0 0.0.0.255 any access-list 102 permit ip 10.11.121.0 0.0.0.255 any access-list 102 deny ip any any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 102 in transport input telnet ssh line vty 5 15 access-class 102 in transport input telnet ssh ! scheduler allocate 4000 1000 end