Hi,

I have configured my Cisco 1811 router (Lab environemnt) as follows:

VPN settings for remote clients

crypto isakmp client configuration group 3000client

key XXXXXX

dns 8.8.8.8

domain cisco.local

pool ippool

acl 108

VLAN settings

interface FastEthernet7

switchport access vlan 108

!

interface FastEthernet8

switchport access vlan 100

!

interface FastEthernet9

switchport access vlan 66

!

interface Vlan66

ip address 192.168.7.252 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan100

ip address 10.10.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly

!

interface Vlan108

ip address 10.10.10.9 255.255.255.248

!

Split-tunnel ACL for VPN clients

access-list 108 permit ip 10.10.10.0 0.0.0.7 14.1.1.0 0.0.0.255

NAT ACL for VPN and local VLANs

ip nat inside source route-map NONAT interface Dialer0 overload

access-list 112 deny   ip 10.10.10.0 0.0.0.7 14.1.1.0 0.0.0.255

access-list 112 deny   ip 192.168.7.0 0.0.0.255 14.1.1.0 0.0.0.255

access-list 112 permit ip 10.10.10.0 0.0.0.7 any

route-map NONAT permit 10

match ip address 112

I underestand 10.10.10.7 is the broadcast address of Vlan100.

When I connect a VPN client and ping the remote VLAN 10.10.10.1 and then ping 10.10.10.7, the output is as follows:

Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=50ms TTL=255

Pinging 10.10.10.7 with 32 bytes of data:
Reply from 85.176.X.X: bytes=32 time=55ms TTL=255

Question #1: I understand ACL 112 does NAT for 10.10.10.1-6 but not 10.10.10.7. How sould ACL 112 look like?

Question #2: Is it normal to get a reply when you ping a broadcast address at all?

Any help is appreciated!

Kind Regards,

Sebastian