cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
5
Helpful
3
Replies

VPN access to local lan problem after enabling firewall

Hi

I got a issue after enabling the firewall on the router the user can connect to the VPN but they cant access to the local LAN(remote lan). Everything works before enable it using the CCP.

Here a copy of the config after enable the firewall

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

password encryption aes

!

!

!

!

!

class-map type inspect match-all sdm-nat-user-protocol--7-1

match access-group 111

match protocol user-protocol--7

class-map type inspect match-all sdm-nat-http-4

match access-group 113

match protocol http

class-map type inspect match-all sdm-nat-http-5

match access-group 115

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--6-1

match access-group 110

match protocol user-protocol--6

class-map type inspect match-all sdm-nat-http-6

match access-group 116

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--5-1

match access-group 110

match protocol user-protocol--5

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all sdm-cls-im

match class-map ccp-protocol-im

class-map type inspect match-all sdm-nat-user-protocol--4-1

match access-group 108

match protocol user-protocol--4

class-map type inspect match-all sdm-nat-http-7

match access-group 117

match protocol http

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 103

match protocol user-protocol--3

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 105

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-http-1

match access-group 106

match protocol http

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-http-2

match access-group 107

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 105

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

match access-group 104

match protocol smtp

class-map type inspect match-all sdm-nat-http-3

match access-group 109

match protocol http

class-map type inspect match-all sdm-nat-imap-1

match access-group 104

match protocol imap

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-all sdm-nat-http-8

match access-group 104

match protocol http

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-all sdm-nat-user-protocol--9-1

match access-group 112

match protocol user-protocol--9

class-map type inspect match-all sdm-nat-user-protocol--8-1

match access-group 110

match protocol user-protocol--8

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all sdm-nat-echo-1

match access-group 103

match protocol echo

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-nat-pop3s-1

match access-group 104

match protocol pop3s

class-map type inspect match-all sdm-nat-user-protocol--12-1

match access-group 113

match protocol user-protocol--12

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all sdm-nat-user-protocol--13-1

match access-group 104

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--10-1

match access-group 114

match protocol user-protocol--10

class-map type inspect match-all sdm-nat-user-protocol--11-1

match access-group 114

match protocol user-protocol--11

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-all sdm-nat-pop3-1

match access-group 104

match protocol pop3

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT

match access-group 102

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all sdm-nat-dns-1

match access-group 103

match protocol dns

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all sdm-nat-https-1

match access-group 104

match protocol https

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect match-all sdm-nat-imaps-1

match access-group 104

match protocol imaps

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect match-all sdm-nat-ftp-1

match access-group 111

match protocol ftp

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  reset

class type inspect edonkey ccp-app-edonkeydownload

  log

  reset

class type inspect fasttrack ccp-app-fasttrack

  log

  reset

class type inspect gnutella ccp-app-gnutella

  log

  reset

class type inspect kazaa2 ccp-app-kazaa2

  log

  reset

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-dns-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-imaps-1

  inspect

class type inspect sdm-nat-pop3-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class type inspect sdm-nat-user-protocol--3-1

  inspect

class type inspect sdm-nat-echo-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-http-2

  inspect

class type inspect sdm-nat-user-protocol--4-1

  inspect

class type inspect sdm-nat-http-3

  inspect

class type inspect sdm-nat-user-protocol--5-1

  inspect

class type inspect sdm-nat-user-protocol--6-1

  inspect

class type inspect sdm-nat-ftp-1

  inspect

class type inspect sdm-nat-user-protocol--7-1

  inspect

class type inspect sdm-nat-user-protocol--8-1

  inspect

class type inspect sdm-nat-user-protocol--9-1

  inspect

class type inspect sdm-nat-http-4

  inspect

class type inspect sdm-nat-user-protocol--10-1

  inspect

class type inspect sdm-nat-http-5

  inspect

class type inspect sdm-nat-user-protocol--11-1

  inspect

class type inspect sdm-nat-http-6

  inspect

class type inspect sdm-nat-http-7

  inspect

class type inspect sdm-nat-user-protocol--12-1

  inspect

class type inspect sdm-nat-user-protocol--13-1

  inspect

class type inspect sdm-nat-pop3s-1

  inspect

class type inspect sdm-nat-imap-1

  inspect

class type inspect sdm-nat-smtp-1

  inspect

class type inspect sdm-nat-http-8

  inspect

class class-default

  drop

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  reset

class type inspect msnmsgr ccp-app-msn

  log

  reset

class type inspect ymsgr ccp-app-yahoo

  log

  reset

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  allow

class type inspect http ccp-app-httpmethods

  log

  allow

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  drop log

class type inspect sdm-cls-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-protocol-im

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_EASY_VPN_CTCP_SERVER_PT

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security ezvpn-zone

zone security in-zone

zone security out-zone

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

!

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group usuariovpn

key usuariovpn

dns 172.17.128.33 172.17.128.24

domain XXXXXXXXXXXXXXXX

pool SDM_POOL_2

acl 101

save-password

include-local-lan

split-dns XXXXXXXXXXXXXXXX

max-users 20

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group usuariovpn

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 28800

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback1

ip address 172.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $FW_OUTSIDE$

ip address XXXXX

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

zone-member security out-zone

pvc 1/50

  encapsulation aal5snap

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

!

interface FastEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0.1

description Datos$FW_INSIDE$

encapsulation dot1Q 1 native

ip address 172.17.128.250 255.255.192.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface FastEthernet0.20

description $WLAN VISITAS$$FW_INSIDE$

encapsulation dot1Q 20

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface FastEthernet0.100

description $CISCO_VOICE$$FW_INSIDE$

encapsulation dot1Q 100

ip address 10.1.1.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface FastEthernet4

no ip address

shutdown

!

interface FastEthernet5

no ip address

shutdown

!

interface FastEthernet6

no ip address

shutdown

!

interface FastEthernet7

no ip address

shutdown

!

interface FastEthernet8

no ip address

shutdown

!

interface Virtual-Template1 type tunnel

description VPN corporativo de XXXXX

ip unnumbered ATM0.1

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

ip local pool SDM_POOL_2 192.168.200.200 192.168.200.240

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip flow-top-talkers

top 100

sort-by bytes

!

ip nat inside source static udp 172.17.128.19 53 interface ATM0.1 53

ip nat inside source list 1 interface ATM0.1 overload

ip nat inside source static tcp 172.17.128.33 443 interface ATM0.1 443

ip nat inside source static tcp 172.17.128.33 993 interface ATM0.1 993

ip nat inside source static tcp 172.17.128.33 110 interface ATM0.1 110

ip nat inside source list 20 interface ATM0.1 overload

ip nat inside source static tcp 172.17.128.21 3131 interface ATM0.1 3131

ip nat inside source static tcp 172.17.128.21 3132 interface ATM0.1 3132

ip nat inside source static tcp 172.17.128.19 43 interface ATM0.1 43

ip nat inside source static tcp 172.17.128.19 53 interface ATM0.1 53

ip nat inside source static udp 172.17.128.19 7 interface ATM0.1 7

ip nat inside source static tcp 172.17.128.29 80 interface ATM0.1 5000

ip nat inside source static tcp 172.17.128.28 80 interface ATM0.1 5001

ip nat inside source static tcp 172.17.128.25 8070 interface ATM0.1 8070

ip nat inside source static tcp 172.17.128.44 80 interface ATM0.1 5005

ip nat inside source static tcp 172.17.128.19 7 interface ATM0.1 7

ip nat inside source static tcp 172.17.128.249 8087 interface ATM0.1 8087

ip nat inside source static tcp 172.17.128.249 8088 interface ATM0.1 8088

ip nat inside source static tcp 172.17.128.11 21 interface ATM0.1 21

ip nat inside source static udp 172.17.128.11 21 interface ATM0.1 21

ip nat inside source static tcp 172.17.128.249 8089 interface ATM0.1 8089

ip nat inside source static tcp 172.17.128.20 9675 interface ATM0.1 9675

ip nat inside source static tcp 172.17.128.14 80 interface ATM0.1 8080

ip nat inside source static tcp 172.17.128.24 5555 interface ATM0.1 5555

ip nat inside source static tcp 172.17.128.43 80 interface ATM0.1 5002

ip nat inside source static tcp 172.17.128.24 8090 interface ATM0.1 8090

ip nat inside source static tcp 172.17.128.41 80 interface ATM0.1 5003

ip nat inside source static tcp 172.17.128.42 80 interface ATM0.1 5004

ip nat inside source static tcp 172.17.128.14 8080 interface ATM0.1 8081

ip nat inside source static tcp 172.17.128.33 465 interface ATM0.1 465

ip nat inside source static tcp 172.17.128.33 995 interface ATM0.1 995

ip nat inside source static tcp 172.17.128.33 143 interface ATM0.1 143

ip nat inside source static tcp 172.17.128.33 25 interface ATM0.1 25

ip route 0.0.0.0 0.0.0.0 XXXXXXX permanent

ip route 10.1.1.0 255.255.255.0 172.17.128.7

ip route 10.1.10.0 255.255.255.0 172.17.128.7

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

ip radius source-interface FastEthernet0.1

logging 172.17.128.20

access-list 1 permit 172.17.128.0 0.0.63.255

access-list 20 permit 192.168.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 201.198.16.16 0.0.0.3 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

access-list 102 remark CCP_ACL Category=1

access-list 102 permit tcp any any eq 10000

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 172.17.128.19

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip any host 172.17.128.33

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip any host 172.17.128.21

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip any host 172.17.128.29

access-list 107 remark CCP_ACL Category=0

access-list 107 permit ip any host 172.17.128.28

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip any host 172.17.128.25

access-list 109 remark CCP_ACL Category=0

access-list 109 permit ip any host 172.17.128.44

access-list 110 remark CCP_ACL Category=0

access-list 110 permit ip any host 172.17.128.249

access-list 111 remark CCP_ACL Category=0

access-list 111 permit ip any host 172.17.128.11

access-list 112 remark CCP_ACL Category=0

access-list 112 permit ip any host 172.17.128.20

access-list 113 remark CCP_ACL Category=0

access-list 113 permit ip any host 172.17.128.14

access-list 114 remark CCP_ACL Category=0

access-list 114 permit ip any host 172.17.128.24

access-list 115 remark CCP_ACL Category=0

access-list 115 permit ip any host 172.17.128.43

access-list 116 remark CCP_ACL Category=0

access-list 116 permit ip any host 172.17.128.41

access-list 117 remark CCP_ACL Category=0

access-list 117 permit ip any host 172.17.128.42

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 60 0

logging synchronous

line aux 0

logging synchronous

transport input telnet

transport output telnet

line vty 0 4

exec-timeout 60 0

privilege level 15

length 0

transport input telnet ssh

transport output telnet ssh

Any ideas?

Best Regards.

3 Replies 3

fb_webuser
Level 6
Level 6

make the vpn accessiable at the endpoint of the router only.if pc's in lan use vpn client then their request frames is encapsulated by vpn and inaccessable by local lan network.

---

Posted by WebUser Abhinaba Acharjee from Cisco Support Community App

Thanks.

Sorry but who I can do it?

Guillermo,

Hola, Of course is not that simple like just to put on a line "allow it", if that would be so simple, nobody would be asking questions right?

Anyways, there is more that we need to check here, please put on the globla configuration mode "ip inspect log drop-pkt" and then turn on the logs. You will see exactly where it is being dropped and we can modify the policies accordingly.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: