Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1724
Views
0
Helpful
2
Replies

Can connect to router through VPN Client but cannot access any private LAN machines

mirsalaradili
Level 1
Level 1

‎09-21-2013 09:28 AM - edited ‎03-04-2019 09:06 PM

Hello all,

I have a change in my network where I had to setup a public IP directly on my internet interface. I am hosting Crypto IPSec on my router to provide VPN service to my employees. After setting the public IP on my interface gig0/1 and making changes to the ip nat and ip routing, I am able to connect to the router and get authenticated, but I am not able to ping or access any of the LAN machines. Below is my config:

Building configuration...

Current configuration : 16288 bytes

!

! Last configuration change at 12:08:24 TIME Sat Sep 21 2013 by admin

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname WRouter

!

boot-start-marker

boot system flash c1900-universal-mz.SPA.151-3.T1.bin

boot system flash c1900-universalk9-mz.SPA.151-3.T1.bin

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 5 XXXXXXXXXXXXXXXXXXXxx

enable password 7 XXXXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default enable

aaa authentication login VPNUser local

aaa authorization network VPNGroup local

!

!

!

!

!

aaa session-id common

!

clock timezone TIME -4 0

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.0.0.1 10.0.0.149

ip dhcp excluded-address 10.0.20.1 10.0.20.10

ip dhcp excluded-address 10.0.0.250 10.0.0.254

!

ip dhcp pool Internal

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.1

   dns-server 10.0.0.3 8.8.8.8

!

ip dhcp pool staticprinter

   host 10.0.0.238 255.255.255.0

   hardware-address 0080.7784.8180

!

ip dhcp pool WIRELESS

   network 10.0.20.0 255.255.255.0

   default-router 10.0.20.1

   dns-server 10.0.20.1 8.8.8.8

   domain-name ppsinfotech.com

!

!

!

crypto ctcp port 10000

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN

key XXXXXXXXXXXXX

dns 10.0.0.3 4.2.2.2

domain contoso.com

pool vpnpool

acl split

split-dns contoso.com

netmask 255.255.255.0

!

crypto ipsec security-association idle-time 1200

crypto ipsec security-association replay disable

!

crypto ipsec transform-set tset esp-aes esp-md5-hmac

!

crypto dynamic-map dmap 10

set transform-set tset

reverse-route

!

!

crypto map dmap client authentication list VPNUser

crypto map dmap isakmp authorization list VPNGroup

crypto map dmap client configuration address respond

crypto map dmap 10 ipsec-isakmp dynamic dmap

!

!

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.0.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

shutdown

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip address 10.10.10.10 255.255.255.0

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

ip address 50.112.237.70 255.255.255.252

ip access-group testin in

ip nat outside

ip virtual-reassembly in

ip policy route-map VPN-Client

duplex full

speed 100

crypto map dmap

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

switchport access vlan 30

!

interface GigabitEthernet0/1/0

switchport access vlan 10

!

interface GigabitEthernet0/1/1

switchport access vlan 10

!

interface GigabitEthernet0/1/2

switchport access vlan 10

!

interface GigabitEthernet0/1/3

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan20

ip address 10.0.6.3 255.255.255.0

!

interface Vlan30

ip address 10.0.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local policy route-map VPN_USERS_RM

ip local pool vpnpool 10.0.5.10 10.0.5.150

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat pool G1 50.112.237.111 50.112.237.111 prefix-length 27

ip nat inside source route-map NAT2 pool G1 overload

ip nat inside source static 50.112.237.70 50.112.237.110

ip route 0.0.0.0 0.0.0.0 50.112.237.69

!

ip access-list extended VPN_USERS

permit udp any eq isakmp any

permit udp any any eq isakmp

permit udp any eq non500-isakmp any

permit udp any any eq non500-isakmp

permit tcp any eq 10000 any

permit tcp any any eq 10000

permit icmp host 10.0.1.2 any

ip access-list extended split

permit ip 10.0.0.0 0.0.0.255 10.0.5.0 0.0.0.255

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 deny   ip 10.0.0.0 0.0.0.255 10.0.5.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip 10.0.20.0 0.0.0.255 any

access-list 102 deny   ip 10.0.0.0 0.0.0.255 10.0.5.0 0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 permit ip 10.0.20.0 0.0.0.255 any

access-list 103 permit ip 10.0.5.0 0.0.0.255 any

access-list 105 permit tcp host 10.0.0.4 eq www any

access-list 105 permit tcp host 10.0.0.4 eq 3400 any

access-list 105 permit tcp host 10.0.0.94 eq www any

access-list 105 permit ip 10.0.0.0 0.0.0.255 10.0.5.0 0.0.0.255

access-list 150 permit tcp any any eq 10000

access-list 151 permit ip 10.0.0.0 0.0.0.255 10.0.5.0 0.0.0.255

!

!

!

!

route-map REMOTE permit 10

match ip address 151

set ip next-hop 50.112.237.69

!

route-map VPN_USERS_RM permit 10

match ip address VPN_USERS

set ip next-hop 50.112.237.69

!

route-map PBR permit 10

match ip address 105

set ip next-hop 50.112.237.69

!

route-map VPN permit 10

match ip address 150

set ip next-hop 50.112.237.69

!

route-map VPN-Client permit 10

match ip address 103

set ip next-hop 10.11.0.2

!

route-map NAT2 permit 10

match ip address 102

match interface GigabitEthernet0/1

!

route-map NAT1 permit 10

match ip address 101

match interface GigabitEthernet0/0

!

!

!

!

control-plane

My internal network: 10.0.0.x

My internal wireless network: 10.0.20.x

My VPN pool: 10.0.5.x

My internet interface: Gig0/1

I am using one of my available public IPs for internal internet access for which i have created a NAT and route-map. The same for my VPN connection.

Note: IP addresses are only for reference and have been changed for security purposes.

Please advise...

Thanks,

Salar

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎09-22-2013 12:12 PM

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.0.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
shutdown


Last line Will be your trouble?

Sent from Cisco Technical Support iPad App

0 Helpful

mirsalaradili
Level 1
Level 1
In response to pieterh

‎09-26-2013 06:59 PM

I don't believe that is the problem. I am not using my gig0/0 in this scenario. This used to be one of my two internet lines, but since i am using Fiber now i only use gig0/1. That is why 0/0 is shutdown. Any other ideas? The problem is that the VPN users can be authenticated through gig0/1 but cannot ping any of the LAN servers (subnet 10.0.0.x).

I think it may be related to how i have configured my VPN public ip 1-to-1 NAT on the router. (

ip nat inside source static 50.112.237.70 50.112.237.110)

is there something wrong with the way this is setup?

Any advise would be much appreciated

Salar

0 Helpful
Customers Also Viewed These Support Documents