Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
8
Replies

Vpn Connection Establish and access internet but Cannot Access Local LAN

adeel0680
Level 1
Level 1

‎08-06-2017 10:54 PM - edited ‎03-05-2019 08:57 AM

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group cisco
 key test123
 pool vpnpool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
 set transform-set set1
 --More--

!
!

Router#sh run
Building configuration...

Current configuration : 1273 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group cisco
 key test123
 pool vpnpool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
 set transform-set set1
 reverse-route
!
!
crypto map map1 client authentication list abc1
crypto map map1 isakmp authorization list abc2
crypto map map1 client configuration address respond

crypto map map1 10 ipsec-isakmp dynamic map1

!
!
!
interface GigabitEthernet0/0
 ip address 202.163.70.204 255.255.255.248
 duplex auto
 speed auto
 crypto map map1
!
interface GigabitEthernet0/1
 ip address 192.168.0.235 255.255.255.0
 duplex auto
 speed auto
!
ip local pool vpnpool 192.168.0.232 192.168.0.234
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Labels:
0 Helpful
8 Replies 8

Julio E. Moisa
VIP
VIP

‎08-07-2017 05:00 AM

Hi,

You need to create an ACL to allow the access to the internal services, it should be applied  to crypto isakmp client configuration group cisco,

ip access-list extended VPN-CLIENTS  <--It will represent the access to internal services. 
permit ip <source> <destination>

crypto isakmp client configuration group cisco
acl <ACL name>

acl VPN-CLIENTS

https://www.tunnelsup.com/remote-access-vpn-connection-using-a-cisco-router/




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

adeel0680
Level 1
Level 1
In response to Julio E. Moisa

‎08-08-2017 09:16 PM

Current configuration : 1704 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
username cisco password 0 cisco123
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group abc2
 key test123
 pool vpnpool
 acl 101
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
 set transform-set set1
 reverse-route
!
!
crypto map clientmap client authentication list abc1
crypto map clientmap isakmp authorization list abc2
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic map1
!
!
!
interface GigabitEthernet0/0
 ip address 202.163.70.204 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface GigabitEthernet0/1
 ip address 192.168.0.235 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip local pool vpnpool 192.168.50.1 192.168.50.50
ip route 0.0.0.0 0.0.0.0 202.163.70.201
!
ip http server
no ip http secure-server
ip nat inside source list 111 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 111 permit ip any any
access-list 111 permit icmp any any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password esmletih123
line vty 5 15
 password esmletih123
!
scheduler allocate 20000 1000
!
end

ACL define but still cannot access Local Lan

0 Helpful

Julio E. Moisa
VIP
VIP
In response to adeel0680

‎08-08-2017 09:25 PM

Hi

I see a default route configured on the router, do you have entries into the routing table for the LAN networks?

ip route 0.0.0.0 0.0.0.0 202.163.70.201




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

adeel0680
Level 1
Level 1
In response to Julio E. Moisa

‎08-09-2017 02:03 AM

basically lan network for internet is deploy in tplink device which is linked with layer 2 switch and from layer 2 switch , i have linked router with this local lan switch with same Lan ip scheme 192.168.0.0/24.

I have find another issue which i want to share in pic, vpn client show local lan disable please review and guide me.

Preview file
84 KB
0 Helpful

adeel0680
Level 1
Level 1
In response to adeel0680

‎08-09-2017 10:29 PM

Lan network scheme is 192.168.0.0/24 and already define in router lan interface.

interface GigabitEthernet0/1
 ip address 192.168.0.235 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

why i will need of routing table for lan network.

0 Helpful

Georg Pauwen
VIP
VIP
In response to adeel0680

‎08-09-2017 11:20 PM

Hello,

this is (what I think) the access lists should look like:

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 any

Access list 101 allows traffic from the VPN pool to the LAN. Access lists 111 denies traffic from the VPN pool to be NATted, but allows traffic from the LAN.

0 Helpful

adeel0680
Level 1
Level 1
In response to Georg Pauwen

‎08-15-2017 12:13 AM

whether it is possible problem is at isp end because it is working fine with zong isp at home.

0 Helpful

Georg Pauwen
VIP
VIP
In response to adeel0680

‎08-08-2017 11:59 PM

Hello,

Julio is right, your access lists are not right. They should be:

ip nat inside source list 111 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card