10.11.0.2 is just a arbitrary next hop of the loopback interface to cause the nat to take place since there is a single interface and Nat needs both inside and outside interface.

Your configuration looks almost normal, except for:

access-list 101 permit ip any any

Do this instead:

ip access-list extended 101

     10 permit ip 192.168.1.0 0.0.0.3 any

     20 permit ip your_internal_network any

     no permit ip any any

Then test again.

HTH.

Portu.

Thanks Portu for the guide. I will try it on monday.

Please what I am a little confused is the:

20 permit ip your_internal_network any-- is this refering to my loopback network10.11.0.0?

ie 20 permit ip 10.11.0.0 0.0.0.255 any

Hi Obaid,

Usually, you use the same ACL to allow Internet access to theLAN and VPN Clients, that's the reason why I added mentioned it in there.

If the Router is not providing Internet access to the inside, then ignore the ACE no.20.

Thanks.

Thanks alot Portu, You are a life saver.

I did all i could but couldnt get the clients to get to the internet.

Yes in my case the router has no LAN and it only serves as an agregate point for my clients to be able to access the internet.

So once the VPN is setup between the clients and the router they use that same connection to the internet.

I will test the acl modification on monday.

Thanks alot once again.

Cool man

Keep me posted!

Hi Poru ,

I changed the ACL and tested by trying to access some website but does not seem to work.

Here is the configuration I applied:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

resource policy

ip name-server 8.8.8.8

username user password 0 cisco

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface gi0/1

ip address y.y.y.8 255.255.255.0

ip nat outside

ip virtual-reassembly

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map clientmap

ip local pool ippool 192.168.1.1 192.168.1.2

ip route 0.0.0.0 0.0.0.0 y.y.y.254

ip nat inside source list 101 interface gi0/1 overload

ip access-list extended 101

10 permit ip 192.168.1.0 0.0.0.3 any

no permit ip any any

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.11.0.2

Here are the debug results (debug ip nat doesn't bring up anything)

debug ip access-list data-plane

debug ip policy

yourname#debug ip access-list data-plane

yourname#

*Mar 18 17:16:22.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 17:16:22.687: IPACL-DP: Pkt matched punt/drop it

*Mar 18 17:16:30.075: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 17:16:30.075: IPACL-DP: Pkt matched permit it

*Mar 18 17:16:30.831: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 17:16:30.831: IPACL-DP: Pkt matched permit it

*Mar 18 17:16:31.575: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 17:16:31.575: IPACL-DP: Pkt matched permit it

*Mar 18 17:16:33.191: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 17:16:33.191: IPACL-DP: Pkt matched punt/drop it

*Mar 18 17:16:43.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 17:16:43.687: IPACL-DP: Pkt matched punt/drop it

*Mar 18 17:16:54.183: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 17:16:54.187: IPACL-DP: Pkt matched punt/drop it

*Mar 18 17:17:04.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 17:17:04.687: IPACL-DP: Pkt matched punt/drop it

yourname#debug ip policy

Policy routing debugging is on

yourname#

*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match

*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted

*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed

*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match

*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted

*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed

*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match

*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted

*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed

*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 229, FIB policy match

*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 229, PBR Counted

*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 229, FIB policy routed

*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 235, FIB policy match

*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 235, PBR Counted

*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 235, FIB polic

Obaid,

Please do the following:

ip access-list extended 101

     20 permit ip 192.168.1.0 0.0.0.255 any

      no 10

Let me know if it makes any difference.

HTH.

Hi Portu

I just tried it but it doesnt seem like the ACL 101 is being hit!

Obaid,

This is interesting... It should be working.

How do you try to access the Internet?

By URL or IP?

Try the following, once connected to the VPN:

1- Open cmd, and try to ping 4.2.2.2.

2- Open the web browser and go to http://173.194.44.84

Let me know how it goes.

HTH.

Hi Portu,

I just tried both,

when I try to ping from the VPN client

pinged 4.2.2.2 or any other ip (other than the gi0/1 ip address x.x.x.8) and dont get a response.

used the browser to access http://173.194.44.84 and  nothing happens.

I cant ping the next hop x.x.x.254.

Thanks.

Thanks.

Please try this:

crypto dynamic-map dynmap 10

     reverse-route remote-peer Router_Internet_next_hop

If it does not work, please share:

The current configuration of the Router, including "show crypto sessions", "show access-list 144", "show access-list 101", "show ip cef exact-route vpn_client_ip 4.2.2.2", "show crypto ipsec sa" and please confirm that the client has a VPN connection on port 4500 (open the client's statistics and verify that it say "IPsec over UDP port 4500".

And the log output provided two posts before.

Thanks in advance.

Hello Portu,

I will test this right away.

but here is the show run from th router itself incase there is something fishy. interface gi0/0 is set up just to be able to use ccp.

yourname#show run

Building configuration...

Current configuration : 6374 bytes

!

! Last configuration change at 19:13:58 UTC Mon Mar 18 2013

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

ip cef

!

!

!

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-3880283622

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3880283622

revocation-check none

rsakeypair TP-self-signed-3880283622

!

!

crypto pki certificate chain TP-self-signed-3880283622

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33383830 32383336 3232301E 170D3132 31323130 31383236

  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383032

  38333632 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D453 6EFFBFB6 8B301740 07760A6C 524ABE2D 17707A92 229C5CD4 827A278D

  6928639E D1615D07 A7099F13 E7EEC722 A4C059A8 FEE7F7C6 6FA8627E 0C4C32A2

  BBA76DA1 4D52B3E9 0699B152 36E4ABBC D350091A FB98AF4F 0FC050F5 4C45C671

  B9641250 64D95A89 5AEC58A6 689F135B DEE85DD6 5AB4329A D090B1B6 E75FAFB9

  91250203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14982725 B7B9C17D 3CD782D9 7CE306D7 05E074A6 AF301D06

  03551D0E 04160414 982725B7 B9C17D3C D782D97C E306D705 E074A6AF 300D0609

  2A864886 F70D0101 05050003 818100A6 F9851828 CB16EE59 4564A5BC E925BBBD

  94905CFD 6475B674 D64A7F66 85D2778B 452C18D8 A9E868B7 00BB0A6E B05B05C1

  CE8C70BC 490A2C9E 1EFA90FD 299064AC 37A5E346 2D5D9E9D 566BEDC6 D44FACC9

  D82590BD FA175A14 00C1337C 63A86316 92FC1EE4 82A6A52C 02E68D7E 5A166095

  9D85EE2F B12011CE C98D9938 D801B6

        quit

license udi pid CISCO2911/K9 sn FGL165010CQ

!

!

username user password 0 cisco

!

redundancy

!

!

!

!

!

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode tunnel

!

!

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.10.10.1 255.255.255.248

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address y.y.y.8 255.255.255.0

ip nat outside

ip virtual-reassembly in

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map clientmap

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip local pool ippool 192.168.1.1 192.168.1.2

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.254

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

!

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.11.0.2

!

!

!

!

!

control-plane

!

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

yourname#