Roberto,

Thank you for the suggestions. I have added the ACL and changed the VPN encryption so the transform set doesn't match but am still not able to get a ping across the VPN. I am getting an active VPN connection according to the Netgear router at the endpoint and according to the Cisco. I have posted the config below. If I run a traceroute from the cisco to ping the remote LAN, it is routing the VPN-bound traffic to the ISP gateway and not sending it over the tunnel. Is there something I missed/misunderstood on your suggestions? I also took out the default-gateway line to keep things as clean as possible.

Thanks again.

Joey

sho run
Building configuration...

Current configuration : 1896 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname "HOSTNAME"
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server 208.38.252.3
ip name-server 184.170.172.131
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ABCD123456 address "ENDPOINT WAN IP"
!
!
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
!
!
crypto map shop 20 ipsec-isakmp
 set peer "ENDPOINT WAN IP"
 set transform-set esp-3des-md5
 match address 100
!
!
!
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.27.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description WAN Interface
 ip address "LOCAL WAN IP" 255.255.255.248
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map shop
!
ip classless
ip route 0.0.0.0 0.0.0.0 "ISP GATEWAY"
!
no ip http server
no ip http secure-server
ip nat pool internet "LOCAL WAN IP(S)" prefix-length 30
ip nat inside source list 1 pool internet overload
ip nat inside source list nat pool internet overload
!
ip access-list extended inside
ip access-list extended nat
 deny   ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.27.0 0.0.0.255 any
!
access-list 1 permit 192.168.27.0 0.0.0.255
access-list 100 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
!
control-plane
!
!
line con 0
 password password1
 login
line aux 0
 password password1
 login
line vty 0 4
 password password1
 login
!
end

The previous poster was correct in using the extended ACL for NAT.

Try removing 'ip nat inside source list 1 pool internet overload'

What seems to be happening is your traffic sourced at 192.168.27.0 is hitting the NAT statement, which is still referencing ACL 1. ACL 1 is permitting 192.168.27.0 to go through the NAT process and be sent to the ISP. Because the destination is a private address, your ISP will drop it.

If only the ACL 'nat' is used for the NAT process, then it will deny traffic destined to the remote-side private network.

If you add any other remote vpn networks in the future, you will need to add the deny statement for those as well.

I tried to take out the two extra lines to see what would happen, but had no luck. I also tried changing around some of the VPN settings to see if it would make any difference since the Netgear endpoint isn't quite as particular as it needs to be (reports that it is connected when not everything matches from time to time), but that didn't seem to make a difference either. I took out one of the access-lists as it didn't appear like it was being referenced anywhere either, and it had no effect on VPN or internet access.

I really appreciate the help and hope that we can figure out what I am missing!

Here is the updated config:

sho run
Building configuration...

Current configuration : 1780 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L0stN00b
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip name-server "ISP DNS SERVER 1"
ip name-server "ISP DNS SERVER 2"
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ABCD123456 address "REMOTE VPN IP"
!
!
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
!
!
crypto map shop 20 ipsec-isakmp
 set peer "REMOTE VPN IP"
 set transform-set esp-3des-md5
 match address 100
!
!
!
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.27.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description WAN Interface
 ip address "LOCAL WAN IP" 255.255.255.248
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map shop
!
ip classless
ip route 0.0.0.0 0.0.0.0 "ISP GATEWAY IP"
!
no ip http server
no ip http secure-server
ip nat pool internet "LOCAL WAN IP(S)" prefix-length 30
ip nat inside source list nat pool internet overload
!
ip access-list extended nat
 deny   ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.27.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
!
control-plane
!
!
line con 0
 password password1
 login
line aux 0
 password password1
 login
line vty 0 4
 password password1
 login
!
end

Please post the output of 

sh crypto isakmp sa 

sh crypto session

sh crypto ipsec sa

If you are missing encaps, and phase one is up, then you know its either your ACL, or your NAT config.

Outputs of show statements requested:

L0stN00b#sh crypto isakmp sa
dst                 src             state          conn-id slot status
"REMOTE WAN IP"  "LOCAL WAN IP"  QM_IDLE              5    0 ACTIVE

L0stN00b#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE     
Peer: "REMOTE WAN IP" port 500
  IKE SA: local "LOCAL WAN IP"/500 remote "REMOTE WAN IP"/500 Active
  IPSEC FLOW: permit ip 192.168.27.0/255.255.255.0 192.168.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map

L0stN00b#sh crypto session ipsec sa

interface: FastEthernet0/1
    Crypto map tag: shop, local addr "LOCAL WAN IP"

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer "REMOTE WAN IP" port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 115, #pkts encrypt: 115, #pkts digest: 115
    #pkts decaps: 112, #pkts decrypt: 112, #pkts verify: 112
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: "LOCAL WAN IP", remote crypto endpt.: "REMOTE WAN IP"
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x4770604(74909188)

     inbound esp sas:
      spi: 0x280DA6EC(671983340)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: FPGA:2, crypto map: shop
        sa timing: remaining key lifetime (k/sec): (4562851/2815)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4770604(74909188)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: FPGA:1, crypto map: shop
        sa timing: remaining key lifetime (k/sec): (4562848/2814)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
L0stN00b#

L0stN00b#sh crypto session ipsec sa

interface: FastEthernet0/1
    Crypto map tag: shop, local addr "LOCAL WAN IP"

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer "REMOTE WAN IP" port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 115, #pkts encrypt: 115, #pkts digest: 115
    #pkts decaps: 112, #pkts decrypt: 112, #pkts verify: 112

This looks healthy to me.  Can you ping devices behind the cisco and the netgear? i.e Laptop on 192.168.27.x to laptop on 192.168.1.x

Does each device behind the routers have default gateways pointing at the respective routers?  it could be time for a diagram

Computer A --wired to-->Router A<<>>VPN<<>>Router B--wired to-->Computer B

Router A @ 192.168.1.1 can ping Router B @ 192.168.27.1

Router B @ 192.168.27.1 cannot ping Router A @ 192.168.1.1

Router A @ 192.168.1.1 cannot ping Computer B @ 192.168.27.10

Router B @ 192.168.27.1 cannot ping Computer A @ 192.168.1.114

Computer A @ 192.168.1.114 can ping Router B @ 192.168.27.1

Computer B @ 192.168.27.10 can ping Router A @ 192.168.1.1

Computer A @ 192.168.1.114 cannot ping Computer B @ 192.168.27.10

Computer B @ 192.168.27.10 cannot ping Computer A @ 192.168.1.114

Router A @ 192.168.1.1 can ping Computer A @ 192.168.1.114

Router B @ 192.168.27.1 can ping Computer B @ 192.168.27.10

(just to show that PCs are not blocking pings)

Make sure you source the ping from the inside interface. By default it will use the outgoing interface, which is most like the WAN interface.  This traffic will not go over the tunnel.

E.g. if router A is the cisco, trying pinging the remote PC using the lan interface.

ping 192.168.27.10 source fa0/0

In the example/tests above, Router A was the Netgear. Router B was the Cisco. Sorry I forgot to add that.

The computer's are not able to ping each other through the network, so something is still blocking it, even if I were to source where the router was pinging from.

Try telnetting to port 445 if they are windows laptops, from laptop to laptop in both directions.  Could be host firewalls just blocking icmp, as some of your traffic flows look to be working.  I do not think its a VPN setup issue.

From either router, I can ping the PC on that local network though, just not from the remote network, which should mean that there are no firewalls enabled on the PCs. Correct?

From either router, I cannot ping the PC on the other network (even with the addition of the source fa0/0 to the command). I can (with the source option added) ping the Netgear from the Cisco (Router B will ping Router A) now which I did not have before.

If I run a traceroute from the Cisco to try to ping the computer connected to the netgear, the route is still trying to go out to the gateway.

I will try the Telnet 445 in a bit when I get back and report the results, but I don't see how it would work if it is still trying to source the traffic to the gateway. Am I missing something in the process of its communication?

Pings often work asymmetrically, while tcp often wont if there is a security device in the way so I suggested the telnet to rule that out.  However that is the opposite of what may work here - as your pings are failing.  

Are you able to post the routing tables with the sensitive information removed? Both the cisco and the netgear (screenshots perhaps). 

Also perhaps check the host routing tables also - just in case there is some strange entries.

open a cmd window and grab a

route print -4

what is the model of netgear?

As an update to the function of the VPN, I can now ping as follows:

Netgear (192.168.1.1) to Cisco (192.168.27.1) YES

Netgear (192.168.1.1) to Laptop on Cisco (192.168.27.10) NO

Cisco (192.168.27.1) to Netgear (192.168.1.1) NO

Cisco (192.168.27.1) to Desktop on Netgear (192.168.1.114) NO

To me, the fact that I can ping Lan to Lan at all would indicate that the VPN settings are correct and that the VPN is up and running. The fact that I can't ping the LAN devices on the cisco sounds like an inbound ACL problem, and the fact I can't ping anything on the Netgear side from the Cisco side sounds like it is still trying to route everything to the gateway through the NAT and not via the tunnel (an outbound ACL problem). Am I thinking about this correctly? Are these presumptions correct?