Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
2
Replies

Cannot access internal resource via VPN

Dustin Burke
Level 1
Level 1

‎08-08-2012 03:42 PM

Here is my config... VPN is 172.16.4.0/24 and Internal network is 10.10.50.0/24. Once I am connected to VPN, I cant access the 10.10.50.0 network.

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group medpark_5th

key XxxxxXxx

dns 208.167.42.100

pool vpn

acl VPN

!

!

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set vpn

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp

set peer 216.12.5.12

set transform-set vpn

match address 120

crypto map clientmap 200 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface GigabitEthernet0/0

ip address 173.219.88.20 255.255.255.0

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

!

interface GigabitEthernet0/1

ip address 10.10.50.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

!

!

ip local pool vpn 172.16.4.0 172.16.4.20

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 173.219.88.1

ip route 172.16.4.0 255.255.255.0 173.219.88.1

!

ip access-list extended VPN

permit ip 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255

deny   ip any any log

!

access-list 101 permit ip 10.10.50.0 0.0.0.255 any

!

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎08-08-2012 11:21 PM

You have to exclude your VPN-traffic from being NATted. With your config the traffic gets sent to the internal host, the answers come back to the router where they are NATted to your public IP. After that they don't match the crypto-definition any more. So exclude that traffic (intLAN-> VPN) in your ACL 101.

And in your ACL VPN, only the first line is needed.

Sent from Cisco Technical Support iPad App

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Karsten Iwen

‎08-09-2012 02:41 AM

You must rewrite ACL 101 as this:

access-list 101 deny 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255

access-list 101 permit ip 10.10.50.0 0.0.0.255 any

and I see:

ip access-list extended VPN

permit ip 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255

In this ACL,

permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255

not need

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful
Customers Also Viewed These Support Documents