05-31-2011 09:09 AM - edited 03-04-2019 12:34 PM
Hi!
After adding the below Extended Access-List Entry into my 1841 Router,
access-list 102 permit ip host 192.168.1.1 any
i can access the Internet from this client but cannot connect to this client from another branch through vpn tunnels. I can access all other clients that do not have this access-list entry.
Thanks.
05-31-2011 09:31 AM
Posting your config will help.
05-31-2011 10:32 AM
Current configuration : 1934 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch-Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging monitor
enable password password
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip name-server Server-1
ip name-server Server-2
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-template 1
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
username vpn password 0 vpn
!
!
!
interface Tunnel1
description VPN To Main-Office
ip address 192.168.100.2 255.255.255.0
tunnel source router wan ip
tunnel destination main-office router wan ip
!
interface FastEthernet0/0
description WAN
ip address public ip
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.1.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool branch
no keepalive
ppp authentication pap chap ms-chap
!
ip local pool 192.168.1.101 192.168.1.150
ip classless
ip route 0.0.0.0 0.0.0.0 router wan ip
ip route Main Office router wan IP and mask Tunnel1
!
no ip http server
ip nat pool ovrld public ip public ip prefix-length 30
ip nat inside source list 102 pool ovrld overload
!
access-list 102 permit ip host 192.168.1.1 any
!
control-plane
!
!
line con 0
password password
login
line aux 0
line vty 0 4
password password
login
line vty 5 15
password password
login
!
end
05-31-2011 11:29 AM
You will need to NAT exempt the traffic from 192.168.1.1 going to the IP's on the other end of the tunnel , so if your other end IP subnet is for ex 10.0.1.0/24 then you will need to modify the access list 102 like :-
access-list 102 Deny ip host 192.168.1.1 10.0.1.0 0.0.0.255
access-list 102 permit ip host 192.168.1.1 any
make sure the NAT exempt statement appears before the permit any statement.
Manish
06-01-2011 03:39 PM
Tried but did not succeed. There may be other things that need to be blocked.
Any Suggestions?
Thanks.
06-01-2011 03:58 PM
access-list 102 Deny ip host 192.168.1.1 SOURCE_IP WILDCARD_MASK
access-list 102 permit ip host 192.168.1.1 any
are you sure that you have right SOURCE_IP & WILDCARD MASK ?
Try wireshark/tcpdump on 192.168.1.1 and capture the source ip coming in and then deny that in your NAT access-list 102.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide