06-15-2010 12:50 PM
When VPN established I can Ping the Router but no other device on the network. From the Router I can ping all devices including my laptop that is connected.
Here is the config......What am I missing? This is probably about the 100th one I have setup and no issues before and I have gone as far as using CCP to configure it and still no LAN access. I have gone line by line of other backup configs that I have for other same setups.
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.2
ip dhcp excluded-address 192.168.0.190 192.168.0.200
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.x.x.x 216.x.x.x
default-router 192.168.0.1
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxx.com
ip name-server 216.x.x.x
ip name-server 216.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2756617961
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2756617961
revocation-check none
rsakeypair TP-self-signed-2756617961
!
!
crypto pki certificate chain TP-self-signed-2756617961
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373536 36313739 3631301E 1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
username xxxxx privilege 15 secret 5 xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxx
key xxxxx
dns 216.x.x.x 216.x.x.x
pool SDM_POOL_2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group xxxxx
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 4
!
!
crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set xxxxx
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 216.x.x.x. secondary
ip address 216.x.x.x 255.255.255.128
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template4 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1100
!
ip local pool SDM_POOL_2 192.168.0.190 192.168.0.200
ip classless
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 100 deny ip any host 192.168.0.190
access-list 100 deny ip any host 192.168.0.191
access-list 100 deny ip any host 192.168.0.192
access-list 100 deny ip any host 192.168.0.193
access-list 100 deny ip any host 192.168.0.194
access-list 100 deny ip any host 192.168.0.195
access-list 100 deny ip any host 192.168.0.196
access-list 100 deny ip any host 192.168.0.197
access-list 100 deny ip any host 192.168.0.198
access-list 100 deny ip any host 192.168.0.199
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 100
Thank you
Gabrielle
06-15-2010 01:12 PM
Should ACL 100 entries be flipped around? You have ip any host 192.168.0.19x, which are the devices you don't want to NAT. But they are listed as destinations, not sources. So all 192.168.0.0/24 is NAT'd.
access-list 100 deny ip any host 192.168.0.190
access-list 100 deny ip any host 192.168.0.191
access-list 100 deny ip any host 192.168.0.192
access-list 100 deny ip any host 192.168.0.193
access-list 100 deny ip any host 192.168.0.194
access-list 100 deny ip any host 192.168.0.195
access-list 100 deny ip any host 192.168.0.196
access-list 100 deny ip any host 192.168.0.197
access-list 100 deny ip any host 192.168.0.198
access-list 100 deny ip any host 192.168.0.199
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
06-15-2010 01:23 PM
So you are saying
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any host 192.168.0.190
access-list 100 deny ip any host 192.168.0.191
access-list 100 deny ip any host 192.168.0.192
access-list 100 deny ip any host 192.168.0.193
access-list 100 deny ip any host 192.168.0.194
access-list 100 deny ip any host 192.168.0.195
access-list 100 deny ip any host 192.168.0.196
access-list 100 deny ip any host 192.168.0.197
access-list 100 deny ip any host 192.168.0.198
access-list 100 deny ip any host 192.168.0.199
access-list 100 deny ip any host 192.168.0.200
No that doesn't work.
06-15-2010 01:29 PM
Sorry for not being clear enough. It looks like you were trying to exclude the hosts 192.168.0.190 thru 192.168.0.199 from NAT. I have changed the ACEs to reflect this option. Otherwise all of 192.168.0.0/24 will be NAT'd. HTH
access-list 100 deny ip host 192.168.0.190 any
access-list 100 deny ip host 192.168.0.191 any
access-list 100 deny ip host 192.168.0.192 any
access-list 100 deny ip host 192.168.0.193 any
access-list 100 deny ip host 192.168.0.194 any
access-list 100 deny ip host 192.168.0.195 any
access-list 100 deny ip host 192.168.0.196 any
access-list 100 deny ip host 192.168.0.197 any
access-list 100 deny ip host 192.168.0.198 any
access-list 100 deny ip host 192.168.0.199 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
06-15-2010 05:40 PM
Thank you but that didn't work either.
All of the other routers I have configured work just fine with the access-list like I have. I did give it a go but got the same results as before.
06-15-2010 06:42 PM
I notice that you are using the same address space for your VPN clients as for your inside network. Are you doing the same at the other 100 sites?
06-16-2010 04:35 PM
Yes I am using the same network space on all the others.
06-17-2010 05:58 AM
Could you provide a sanitized listing of your central site VPN device as well as another (working) site's configuration?
06-28-2010 06:17 AM
Sorry I wanted to post my conclusion for this to help others. I ended up going on site and changing the the NAT information. I didn't want to do this remotely. Once I took out the other statements and added the below I was able to access all of the internal servers.
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 deny ip any host 192.168.0.80
access-list 101 deny ip any host 192.168.0.81
access-list 101 deny ip any host 192.168.0.82
access-list 101 deny ip any host 192.168.0.83
access-list 101 deny ip any host 192.168.0.84
access-list 101 deny ip any host 192.168.0.85
no cdp run
route-map nonat permit 10
match ip address 101
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide