08-06-2017 10:54 PM - edited 03-05-2019 08:57 AM
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key test123
pool vpnpool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
set transform-set set1
--More--
!
!
Router#sh run
Building configuration...
Current configuration : 1273 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key test123
pool vpnpool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
set transform-set set1
reverse-route
!
!
crypto map map1 client authentication list abc1
crypto map map1 isakmp authorization list abc2
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
interface GigabitEthernet0/0
ip address 202.163.70.204 255.255.255.248
duplex auto
speed auto
crypto map map1
!
interface GigabitEthernet0/1
ip address 192.168.0.235 255.255.255.0
duplex auto
speed auto
!
ip local pool vpnpool 192.168.0.232 192.168.0.234
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end
08-07-2017 05:00 AM
Hi,
You need to create an ACL to allow the access to the internal services, it should be applied to crypto isakmp client configuration group cisco,
ip access-list extended VPN-CLIENTS <--It will represent the access to internal services.
permit ip <source> <destination>
crypto isakmp client configuration group cisco
acl <ACL name>
acl VPN-CLIENTS
https://www.tunnelsup.com/remote-access-vpn-connection-using-a-cisco-router/
08-08-2017 09:16 PM
Current configuration : 1704 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group abc2
key test123
pool vpnpool
acl 101
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
set transform-set set1
reverse-route
!
!
crypto map clientmap client authentication list abc1
crypto map clientmap isakmp authorization list abc2
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic map1
!
!
!
interface GigabitEthernet0/0
ip address 202.163.70.204 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/1
ip address 192.168.0.235 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool vpnpool 192.168.50.1 192.168.50.50
ip route 0.0.0.0 0.0.0.0 202.163.70.201
!
ip http server
no ip http secure-server
ip nat inside source list 111 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 111 permit ip any any
access-list 111 permit icmp any any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password esmletih123
line vty 5 15
password esmletih123
!
scheduler allocate 20000 1000
!
end
ACL define but still cannot access Local Lan
08-08-2017 09:25 PM
Hi
I see a default route configured on the router, do you have entries into the routing table for the LAN networks?
ip route 0.0.0.0 0.0.0.0 202.163.70.201
08-09-2017 02:03 AM
basically lan network for internet is deploy in tplink device which is linked with layer 2 switch and from layer 2 switch , i have linked router with this local lan switch with same Lan ip scheme 192.168.0.0/24.
I have find another issue which i want to share in pic, vpn client show local lan disable please review and guide me.
08-09-2017 10:29 PM
Lan network scheme is 192.168.0.0/24 and already define in router lan interface.
interface GigabitEthernet0/1
ip address 192.168.0.235 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
why i will need of routing table for lan network.
08-09-2017 11:20 PM
Hello,
this is (what I think) the access lists should look like:
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
Access list 101 allows traffic from the VPN pool to the LAN. Access lists 111 denies traffic from the VPN pool to be NATted, but allows traffic from the LAN.
08-15-2017 12:13 AM
whether it is possible problem is at isp end because it is working fine with zong isp at home.
08-08-2017 11:59 PM
Hello,
Julio is right, your access lists are not right. They should be:
ip nat inside source list 111 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: