Re: Can't Access LAN - VPN 880 Router

cozyk1515 · ‎06-15-2010

When VPN established I can Ping the Router but no other device on the network. From the Router I can ping all devices including my laptop that is connected.

Here is the config......What am I missing? This is probably about the 100th one I have setup and no issues before and I have gone as far as using CCP to configure it and still no LAN access. I have gone line by line of other backup configs that I have for other same setups.

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.2

ip dhcp excluded-address 192.168.0.190 192.168.0.200

!

ip dhcp pool sdm-pool1

import all

network 192.168.0.0 255.255.255.0

dns-server 216.x.x.x 216.x.x.x

default-router 192.168.0.1

ip tcp synwait-time 10

no ip bootp server

ip domain name xxxx.com

ip name-server 216.x.x.x

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto pki trustpoint TP-self-signed-2756617961

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2756617961

revocation-check none

rsakeypair TP-self-signed-2756617961

!

crypto pki certificate chain TP-self-signed-2756617961

certificate self-signed 01

3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32373536 36313739 3631301E 1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

username xxxxx privilege 15 secret 5 xxxxxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxx

key xxxxx

dns 216.x.x.x 216.x.x.x

pool SDM_POOL_2

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group xxxxx

client authentication list ciscocp_vpn_xauth_ml_2

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address respond

virtual-template 4

!

crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set xxxxx

set isakmp-profile ciscocp-ike-profile-1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 216.x.x.x. secondary

ip address 216.x.x.x 255.255.255.128

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Virtual-Template4 type tunnel

ip unnumbered FastEthernet4

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1100

!

ip local pool SDM_POOL_2 192.168.0.190 192.168.0.200

ip classless

ip route 0.0.0.0 0.0.0.0 216.x.x.x

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 100 deny ip any host 192.168.0.190

access-list 100 deny ip any host 192.168.0.191

access-list 100 deny ip any host 192.168.0.192

access-list 100 deny ip any host 192.168.0.193

access-list 100 deny ip any host 192.168.0.194

access-list 100 deny ip any host 192.168.0.195

access-list 100 deny ip any host 192.168.0.196

access-list 100 deny ip any host 192.168.0.197

access-list 100 deny ip any host 192.168.0.198

access-list 100 deny ip any host 192.168.0.199

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 100

Thank you

Gabrielle

slmansfield · ‎06-15-2010

Should ACL 100 entries be flipped around? You have ip any host 192.168.0.19x, which are the devices you don't want to NAT. But they are listed as destinations, not sources. So all 192.168.0.0/24 is NAT'd.

access-list 100 deny ip any host 192.168.0.190

access-list 100 deny ip any host 192.168.0.191

access-list 100 deny ip any host 192.168.0.192

access-list 100 deny ip any host 192.168.0.193

access-list 100 deny ip any host 192.168.0.194

access-list 100 deny ip any host 192.168.0.195

access-list 100 deny ip any host 192.168.0.196

access-list 100 deny ip any host 192.168.0.197

access-list 100 deny ip any host 192.168.0.198

access-list 100 deny ip any host 192.168.0.199

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

cozyk1515 · ‎06-15-2010

So you are saying

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip any host 192.168.0.190

access-list 100 deny ip any host 192.168.0.191

access-list 100 deny ip any host 192.168.0.192

access-list 100 deny ip any host 192.168.0.193

access-list 100 deny ip any host 192.168.0.194

access-list 100 deny ip any host 192.168.0.195

access-list 100 deny ip any host 192.168.0.196

access-list 100 deny ip any host 192.168.0.197

access-list 100 deny ip any host 192.168.0.198

access-list 100 deny ip any host 192.168.0.199

access-list 100 deny ip any host 192.168.0.200

No that doesn't work.