05-01-2015 02:44 PM
I have a Cisco 881 router giving out LAN addresses in 10.149.85.x network.
MY VPN users can connect to the router correctly get their IP in the range 192.168.50.x and can ping the router's interface, but cannot ping any devices on the local network. (also VPN client says LAN is disabled when connected).
I'm positive this is a simple issue with NAT or ACLs, but I've banged my head against it too long to see clearly anymore.
Any help would be greatly appreciated.
Configuration is:
Building configuration...
Current configuration : 6291 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname AB-Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3140291582
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3140291582
revocation-check none
rsakeypair TP-self-signed-3140291582
!
!
crypto pki certificate chain TP-self-signed-3140291582
certificate self-signed 01
(cert removed)
quit
ip source-route
!
!
ip dhcp excluded-address 10.149.85.162 10.149.85.166
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool LAN
network 10.149.85.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.1 4.2.2.2
default-router 10.149.85.1
!
ip dhcp pool Guest-Wlan
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8 4.2.2.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
(usernames removed)
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group TESTRemoteUser
key xxxxxxxxxxx
pool vpn-pool
acl 190
netmask 255.255.255.0
crypto isakmp profile VPNClient
match identity group TESTRemoteUser
client authentication list userauth
isakmp authorization list groupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map outside-dyn-map 65535
set transform-set ESP-3DES-MD5
set isakmp-profile VPNClient
!
!
crypto map outside-map 65535 ipsec-isakmp dynamic outside-dyn-map
!
archive
log config
hidekeys
!
!!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip dhcp client request tftp-server-address
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside-map
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.149.85.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description guest-wlan
ip address 192.168.10.1 255.255.255.0
ip access-group 130 in
ip access-group 130 out
ip nat inside
ip virtual-reassembly
!
ip local pool vpn-pool 192.168.50.1 192.168.50.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map outside-nat interface FastEthernet4 overload
!
access-list 100 deny ip any 192.168.50.0 0.0.0.255
access-list 100 permit ip 10.149.85.0 0.0.0.255 any
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 deny ip any 172.16.0.0 0.15.255.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit udp any any range 16384 32767
access-list 130 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 130 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 permit ip any any
access-list 190 permit ip 10.149.85.0 0.0.0.255 192.168.50.0 0.0.0.255
no cdp run
!
!!
route-map outside-nat permit 10
match ip address 100
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
05-03-2015 08:49 PM
Hi,
This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.
Hope this helps!
David Castro,
Regards
05-03-2015 08:49 PM
Hi,
This configuration seems to be fine, make sure to set up a route on any device behind this router to send the <192.168.50.0/24> to the VPN server so it can then deliver the respond from the Inside LAN to the VPN users.
Hope this helps!
David Castro,
Regards
05-04-2015 08:15 PM
Thank you for responding to my cry for help, David.
I'm confused, though. I thought that's what the access-list 190 does. Are you saying I need a second ip route statement? Or, am I missing an access list item that allows that traffic back out from the LAN to the vpn users?
In a nutshell, I'm not sure how to implement your suggestion. If possible, could you give me an example?
Thanks again!
Dave
05-04-2015 08:57 PM
Hi Dave,
Which is the topology you have?
Behind this router is there another L3 device?
David Castro,
Regards
05-08-2015 10:44 AM
Hi, David:
I was trying to test this router in a a test environment where it was behind another router.
Your question tipped me off. Once I put it into the production environment, and changed the WAN ip address to its final static address (and also changed the ip route to the new static gateway), the VPN routes started working just fine.
So, apparently, my configuration was fine for the production environment, but my test environment was screwing it up.
Thanks for your help!
Dave
05-08-2015 01:26 PM
Hi Dave,
It is great to hear that it works now at least :) !!
Let me know if you have another question!
David castro,
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: