cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2118
Views
5
Helpful
4
Replies
Beginner

Remote site to site VPN user cannot access LAN resources

Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.

What do I need to do to fix this?

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SFGallery

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

clock timezone PCTime -7 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 172.16.0.1 172.16.3.99

ip dhcp excluded-address 172.16.3.200 172.16.3.254

!

ip dhcp pool SFGallery172

import all

network 172.16.0.0 255.255.252.0

domain-name xxxxxxxxxxxx

dns-server 10.10.10.10

default-router 10.10.10.94

netbios-name-server 10.10.10.10

!

!

ip domain name gpgallery.com

ip name-server 10.10.10.10

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.10.10.80

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint SFGallery_Certificate

enrollment selfsigned

serial-number none

ip-address none

revocation-check crl

rsakeypair SFGallery_Certificate_RSAKey 512

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain SFGallery_Certificate

certificate self-signed 01

xxxxxx

quit

license udi pid CISCO2911/K9 sn FTX1542AKJ3

license boot module c2900 technology-package securityk9

license boot module c2900 technology-package datak9

hw-module sm 1

!

!

!

object-group network Corp

172.16.4.0 255.255.252.0

10.10.10.128 255.255.255.224

!

object-group network SFGallery

172.16.0.0 255.255.252.0

10.10.10.0 255.255.255.128

!

object-group network NY

10.10.10.160 255.255.255.224

172.16.16.0 255.255.252.0

!

object-group network GPAll

group-object SFGallery

group-object NY

group-object Corp

!

username xxx

username xxx

username xxx

username xxx

!

redundancy

!

!

!

!

no ip ftp passive

ip ssh version 1

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

!

!

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

pass

!

zone security sslvpn-zone

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key TempVPN1# address xx.xx.xx.xx

!

crypto isakmp client configuration group SFGallery

key Peters2011

dns 10.10.10.10 10.10.10.80

wins 10.10.10.10 10.10.10.80

domain gpgallery.com

pool SDM_POOL_1

acl 111

save-password

split-dns gpgallery.com

max-users 25

max-logins 3

netmask 255.255.252.0

banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C

crypto isakmp profile ciscocp-ike-profile-1

match identity group SFGallery

client authentication list ciscocp_vpn_xauth_ml_3

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address respond

virtual-template 3

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 43200

set transform-set ESP-3DES-SHA3

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toxx.xx.xx.xx

set peer xx.xx.xx.xx

set transform-set ESP-3DES-SHA1

match address 107

reverse-route

!

!

!

!

!

interface Loopback1

ip address 192.168.5.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description T1 Cybermesa$ETH-WAN$

ip address xx.xx.xx.xx 255.255.255.240

ip access-group 105 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LANOverloadNet$ETH-WAN$

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN$ETH-LAN$

ip address 10.10.10.2 255.255.255.128

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/0

ip address 192.168.100.1 255.255.255.0

ip access-group ReplicationIN out

duplex auto

speed auto

!

interface GigabitEthernet1/0

description $ETH-LAN$

ip address 172.16.0.1 255.255.252.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet1/1

description Internal switch interface connected to EtherSwitch Service Module

no ip address

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

!

interface Virtual-Template2

ip unnumbered Loopback1

zone-member security sslvpn-zone

!

interface Virtual-Template3 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

no ip address

!

!

ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 60000

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable

ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable

ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable

ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable

ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable

ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable

ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable

ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable

ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable

ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable

ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable

ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable

ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable

ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent

ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent

ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent

ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent

ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent

ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent

ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent

ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent

ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent

ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended ReplicationIN

remark CCP_ACL Category=1

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny   ip any any

ip access-list extended ReplicationOUT

remark CCP_ACL Category=1

deny   ip any any

!

no logging trap

logging 10.10.10.107

access-list 1 permit 192.168.1.2

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 72.216.51.56 0.0.0.7

access-list 1 permit 172.16.0.0 0.0.3.255

access-list 1 permit 172.16.4.0 0.0.3.255

access-list 1 permit 10.10.10.128 0.0.0.31

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 permit xx.xx.xx.xx 0.0.0.15

access-list 1 permit 10.10.10.0 0.0.0.127

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark CCP_ACL Category=1

access-list 100 permit tcp object-group GPAll object-group NY eq www

access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2

access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2

access-list 100 permit ip any host 10.10.10.2

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443

access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd

access-list 100 deny   tcp any host 10.10.10.2 eq telnet

access-list 100 deny   tcp any host 10.10.10.2 eq 22

access-list 100 deny   tcp any host 10.10.10.2 eq www

access-list 100 deny   tcp any host 10.10.10.2 eq 443

access-list 100 deny   tcp any host 10.10.10.2 eq cmd

access-list 100 deny   udp any host 10.10.10.2 eq snmp

access-list 100 permit udp any eq domain host 10.10.10.2

access-list 100 permit udp host 10.10.10.80 eq domain any

access-list 100 permit udp host 10.10.10.10 eq domain any

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 72.216.51.56 0.0.0.7 any

access-list 101 permit ip 172.16.0.0 0.0.3.255 any

access-list 101 permit ip 172.16.4.0 0.0.3.255 any

access-list 101 permit ip 10.10.10.128 0.0.0.31 any

access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any

access-list 101 permit ip host 192.168.1.2 any

access-list 101 permit ip 10.10.10.0 0.0.0.127 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 72.216.51.56 0.0.0.7 any

access-list 102 permit ip 172.16.0.0 0.0.3.255 any

access-list 102 permit ip 172.16.4.0 0.0.3.255 any

access-list 102 permit ip 10.10.10.128 0.0.0.31 any

access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any

access-list 102 permit ip host 192.168.1.2 any

access-list 102 permit ip 10.10.10.0 0.0.0.127 any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd

access-list 103 deny   tcp any host 172.16.0.1 eq telnet

access-list 103 deny   tcp any host 172.16.0.1 eq 22

access-list 103 deny   tcp any host 172.16.0.1 eq www

access-list 103 deny   tcp any host 172.16.0.1 eq 443

access-list 103 deny   tcp any host 172.16.0.1 eq cmd

access-list 103 deny   udp any host 172.16.0.1 eq snmp

access-list 103 permit ip any any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 105 remark Auto generated by SDM Management Access feature

access-list 105 remark CCP_ACL Category=1

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31

access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255

access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet

access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22

access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www

access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443

access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443

access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd

access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd

access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd

access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet

access-list 105 deny   tcp any host xx.xx.xx.xx eq 22

access-list 105 deny   tcp any host xx.xx.xx.xx eq www

access-list 105 deny   tcp any host xx.xx.xx.xx eq 443

access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd

access-list 105 deny   udp any host xx.xx.xx.xx eq snmp

access-list 105 permit tcp any host xx.xx.xx.xx eq 443

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127

access-list 105 permit udp any eq domain host xx.xx.xx.xx

access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx

access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx

access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp

access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 105 permit ip any any

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31

access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 106 remark IPSec Rule

access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31

access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255

access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31

access-list 107 remark IPSec Rule

access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31

access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255

access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 107 remark IPSec Rule

access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177

access-list 108 remark CCP_ACL Category=2

access-list 108 remark IPSec Rule

access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 108 permit ip 70.56.215.0 0.0.0.255 any

access-list 109 remark CCP_ACL Category=2

access-list 109 remark IPSec Rule

access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31

access-list 109 remark IPSec Rule

access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 109 remark IPSec Rule

access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31

access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255

access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 109 permit ip 172.16.0.0 0.0.255.255 any

access-list 111 remark CCP_ACL Category=4

access-list 111 permit ip 10.10.10.0 0.0.0.127 any

access-list 111 permit ip 10.10.10.128 0.0.0.31 any

access-list 111 permit ip 172.16.0.0 0.0.3.255 any

access-list 111 permit ip 172.16.4.0 0.0.3.255 any

access-list 111 permit ip 10.10.10.160 0.0.0.31 any

!

!

!

!

route-map SDM_RMAP_4 permit 1

match ip address 109

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

route-map SDM_RMAP_2 permit 1

match ip address 108

!

!

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps transceiver all

snmp-server enable traps ds1

snmp-server enable traps call-home message-send-fail server-fail

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps license

snmp-server enable traps envmon

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps flash insertion removal

snmp-server enable traps c3g

snmp-server enable traps ds3

snmp-server enable traps adslline

snmp-server enable traps vdsl2line

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps energywise

snmp-server enable traps vstack

snmp-server enable traps mac-notification

snmp-server enable traps bgp

snmp-server enable traps isis

snmp-server enable traps rf

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps nhrp nhs

snmp-server enable traps nhrp nhc

snmp-server enable traps nhrp nhp

snmp-server enable traps nhrp quota-exceeded

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server enable traps bfd

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down

snmp-server host 10.10.10.107 public

radius-server host 10.10.10.10 key HelloSFGal1#

!

!

!

control-plane

!

!

banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

flowcontrol software

line vty 0 4

access-class 102 in

transport input telnet

line vty 5 15

access-class 101 in

transport input telnet

!

scheduler allocate 20000 1000

end

Everyone's tags (7)
4 REPLIES 4
Cisco Employee

Remote site to site VPN user cannot access LAN resources

Hi Michael,

most probably the failing traffic is hitting NAT when it shouldn't. You could try to verify this assumption by getting "show ip nat trans" immediately after trying to connect.

To solve it there are several options:

- rewrite your nat statements so that it doesn't apply to the VPN traffic (I'd suggest asking for help in another forum like e.g.

- have your remote clients connect to the public IP of the server.

If you want this traffic to go over the tunnel, modify the crypto ACL (on both sides of the tunnel!) to include traffic between 10.10.10.160 to x.x.x.x

- (preferred) remove the crypto-map based VPN tunnel and replace it with a VTI (virtual tunnel interface), if the remote peer supports this. This will give you a Tunnel interface (similar to the Virtual-Template for your vpn client users) so any traffic sent over this Tunnel will not be NAT'ed (assuming you don't put "ip nat inside" on the Tunnel).

You should easily find some config examples for VTI but let me know if you want to discuss this option further.

hth

Herbert

Beginner

Remote site to site VPN user cannot access LAN resources

Thanks so much, Herbert.

As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

I would delete these lines:

no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable

no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable

no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable

no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable

no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable

and replace with these

ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable

ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable

ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable

ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable

ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable

Then add:

access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31

access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255

access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31

access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255

access-list 150 permit ip host 10.10.10.95 any

access-list 150 permit ip host 10.10.10.130 any

!

route-map nonat permit 10

match ip address 150

Beginner

Remote site to site VPN user cannot access LAN resources

FYI, the above solution worked. 

Cisco Employee

Remote site to site VPN user cannot access LAN resources

Hi Michael

thanks for closing the loop on this one!

This solution is actually what I meant with my first suggestion, re-writing the NAT rules. Glad to see you found the correct way to do that.

FWIW, personally I would still recommend the VTI solution as the trend is to move away from crypto maps, and it would greatly simplify your config (e.g. adding a server would require a number of error-prone changes in your current config, whereas the VTI config would require little or no change at all).

cheers

Herbert