I have just set up a remote access ipsec vpn server on my cisco 887 and am experiencing an issue and was wondering if anyone would be able to help.
I can get connected to the VPN ok through the Cisco VPN client but I am unable to access the internal network. I get an IP address from the VPN pool in the 192.168.10.0 range. I am unable to ping or access the router or any other devices on the 192.168.1.0 network.
I'm sure I have just made a simple mistake as this is the first VPN I have set up. Any help would be greatly appreciated.
I have attached my config to this post
Please remove this ACL one highlighted below.
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
Now create a new ACL.
ip access-list extended PAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT_ACL interface Dialer0 overload
Let me know, if this helps
Last note, please be sure to do this from inside the network or ssh/telnet to public address because when you remove both highlighted lines above, you will be disconnected all xlates.
Thanks for the reply. I applied your suggested fix but no joy. Thanks for the warning about kicking myself out, I read through the comands and thought that might happen.
Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?
"Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?"
Answer is no.
Try to apply the solution I suggest by temporally removing the Zone-Base Firewall and it should work and when it is working you know for sure that your ZBF is cause the problem and so trying to customize ZBF as per your need.
Hope that helps.
Please remove three highlighted lines from three of your interfaces on the router.
zone-member security out-zone
zone-member security in-zone
interface Virtual-Template2 type tunnel
zone-member security vpn-zone
Lastly, if you have layer3 switch please make sure, you have a static-route in place on the inside switch as shown below.
ip route 192.168.10.0 255.255.255.0 192.168.1.1
If you do not have a layer3 switch inside your network, then do not worry about the static route.
Please rate helpful post.