cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
448
Views
0
Helpful
5
Replies
Highlighted
Beginner

VPN users cannot see LAN hosts

I have a Cisco 881 router giving out LAN addresses in 10.149.85.x network.

MY VPN users can connect to the router correctly get their IP in the range 192.168.50.x and can ping the router's interface, but cannot ping any devices on the local network. (also VPN client says LAN is disabled when connected).

I'm positive this is a simple issue with NAT or ACLs, but I've banged my head against it too long to see clearly anymore.

 

Any help would be greatly appreciated.

Configuration is:

 

 

Building configuration...

Current configuration : 6291 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname AB-Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3140291582
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3140291582
 revocation-check none
 rsakeypair TP-self-signed-3140291582
!
!
crypto pki certificate chain TP-self-signed-3140291582
 certificate self-signed 01
  (cert removed)
      quit
ip source-route
!
!
ip dhcp excluded-address 10.149.85.162 10.149.85.166
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool LAN
   network 10.149.85.0 255.255.255.0
   dns-server 8.8.8.8 4.2.2.1 4.2.2.2
     default-router 10.149.85.1
!
ip dhcp pool Guest-Wlan
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 8.8.8.8 4.2.2.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
(usernames removed)
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group TESTRemoteUser
 key xxxxxxxxxxx
 pool vpn-pool
 acl 190
 netmask 255.255.255.0
crypto isakmp profile VPNClient
   match identity group TESTRemoteUser
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
  !
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map outside-dyn-map 65535
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNClient
!
!
crypto map outside-map 65535 ipsec-isakmp dynamic outside-dyn-map
!
archive
 log config
  hidekeys
!
!!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 no ip dhcp client request tftp-server-address
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map outside-map
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.149.85.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan10
 description guest-wlan
 ip address 192.168.10.1 255.255.255.0
 ip access-group 130 in
 ip access-group 130 out
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-pool 192.168.50.1 192.168.50.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
  !
ip nat inside source route-map outside-nat interface FastEthernet4 overload
!
access-list 100 deny   ip any 192.168.50.0 0.0.0.255
access-list 100 permit ip 10.149.85.0 0.0.0.255 any
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit udp any any range 16384 32767
access-list 130 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 permit ip any any
access-list 190 permit ip 10.149.85.0 0.0.0.255 192.168.50.0 0.0.0.255
no cdp run

!
!!
route-map outside-nat permit 10
 match ip address 100
 match interface FastEthernet4
  !
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 logging synchronous
 transport input ssh
!
scheduler max-task-time 5000
end

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

 

This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.

 

Hope this helps!

 

David Castro,

 

Regards 

View solution in original post

5 REPLIES 5
Highlighted

Hi,

 

This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.

 

Hope this helps!

 

David Castro,

 

Regards 

View solution in original post

Highlighted

Thank you for responding to my cry for help, David.

 

I'm confused, though.  I thought that's what the access-list 190 does.  Are you saying I need a second ip route statement?  Or, am I missing an access list item that allows that traffic back out from the LAN to the vpn users?

 

In a nutshell, I'm not sure how to implement your suggestion.  If possible, could you give me an example?

 

Thanks again!

 

Dave
 

Highlighted

Hi Dave,

 

Which is the topology you have?

Behind this router is there another L3 device?

 

David Castro,

 

Regards

 

Highlighted

Hi, David:

 

I was trying to test this router in a a test environment where it was behind another router. 

 

Your question tipped me off.  Once I put it into the production environment, and changed the WAN ip address to its final static address (and also changed the ip route to the new static gateway), the VPN routes started working just fine. 

 

So, apparently, my configuration was fine for the production environment, but my test environment was screwing it up.

Thanks for your help!

 

Dave

Highlighted

Hi Dave,

 

It is great to hear that it works now at least :) !!

 

Let me know if you have another question!

 

David castro,

 

Regards