Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
5
Replies

VPN users cannot see LAN hosts

Go to solution
slyman007
Level 1
Level 1

‎05-01-2015 02:44 PM

I have a Cisco 881 router giving out LAN addresses in 10.149.85.x network.

MY VPN users can connect to the router correctly get their IP in the range 192.168.50.x and can ping the router's interface, but cannot ping any devices on the local network. (also VPN client says LAN is disabled when connected).

I'm positive this is a simple issue with NAT or ACLs, but I've banged my head against it too long to see clearly anymore.

 

Any help would be greatly appreciated.

Configuration is:

 

 

Building configuration...

Current configuration : 6291 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname AB-Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3140291582
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3140291582
 revocation-check none
 rsakeypair TP-self-signed-3140291582
!
!
crypto pki certificate chain TP-self-signed-3140291582
 certificate self-signed 01
  (cert removed)
      quit
ip source-route
!
!
ip dhcp excluded-address 10.149.85.162 10.149.85.166
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool LAN
   network 10.149.85.0 255.255.255.0
   dns-server 8.8.8.8 4.2.2.1 4.2.2.2
     default-router 10.149.85.1
!
ip dhcp pool Guest-Wlan
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 8.8.8.8 4.2.2.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
(usernames removed)
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group TESTRemoteUser
 key xxxxxxxxxxx
 pool vpn-pool
 acl 190
 netmask 255.255.255.0
crypto isakmp profile VPNClient
   match identity group TESTRemoteUser
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
  !
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map outside-dyn-map 65535
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNClient
!
!
crypto map outside-map 65535 ipsec-isakmp dynamic outside-dyn-map
!
archive
 log config
  hidekeys
!
!!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 no ip dhcp client request tftp-server-address
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map outside-map
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.149.85.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan10
 description guest-wlan
 ip address 192.168.10.1 255.255.255.0
 ip access-group 130 in
 ip access-group 130 out
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-pool 192.168.50.1 192.168.50.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
  !
ip nat inside source route-map outside-nat interface FastEthernet4 overload
!
access-list 100 deny   ip any 192.168.50.0 0.0.0.255
access-list 100 permit ip 10.149.85.0 0.0.0.255 any
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit udp any any range 16384 32767
access-list 130 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 permit ip any any
access-list 190 permit ip 10.149.85.0 0.0.0.255 192.168.50.0 0.0.0.255
no cdp run

!
!!
route-map outside-nat permit 10
 match ip address 100
 match interface FastEthernet4
  !
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 logging synchronous
 transport input ssh
!
scheduler max-task-time 5000
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎05-03-2015 08:49 PM

Hi,

 

This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.

 

Hope this helps!

 

David Castro,

 

Regards 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎05-03-2015 08:49 PM

Hi,

 

This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.

 

Hope this helps!

 

David Castro,

 

Regards 

0 Helpful

Go to solution
slyman007
Level 1
Level 1
In response to David Johan Castro Fernandez

‎05-04-2015 08:15 PM

Thank you for responding to my cry for help, David.

 

I'm confused, though.  I thought that's what the access-list 190 does.  Are you saying I need a second ip route statement?  Or, am I missing an access list item that allows that traffic back out from the LAN to the vpn users?

 

In a nutshell, I'm not sure how to implement your suggestion.  If possible, could you give me an example?

 

Thanks again!

 

Dave
 

0 Helpful

Go to solution
David Johan Castro Fernandez
Level 3
Level 3
In response to slyman007

‎05-04-2015 08:57 PM

Hi Dave,

 

Which is the topology you have?

Behind this router is there another L3 device?

 

David Castro,

 

Regards

 

0 Helpful

Go to solution
slyman007
Level 1
Level 1
In response to David Johan Castro Fernandez

‎05-08-2015 10:44 AM

Hi, David:

 

I was trying to test this router in a a test environment where it was behind another router. 

 

Your question tipped me off.  Once I put it into the production environment, and changed the WAN ip address to its final static address (and also changed the ip route to the new static gateway), the VPN routes started working just fine. 

 

So, apparently, my configuration was fine for the production environment, but my test environment was screwing it up.

Thanks for your help!

 

Dave

0 Helpful

Go to solution
David Johan Castro Fernandez
Level 3
Level 3
In response to slyman007

‎05-08-2015 01:26 PM

Hi Dave,

 

It is great to hear that it works now at least :) !!

 

Let me know if you have another question!

 

David castro,

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents