08-08-2012 03:42 PM
Here is my config... VPN is 172.16.4.0/24 and Internal network is 10.10.50.0/24. Once I am connected to VPN, I cant access the 10.10.50.0 network.
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group medpark_5th
key XxxxxXxx
dns 208.167.42.100
pool vpn
acl VPN
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpn
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer 216.12.5.12
set transform-set vpn
match address 120
crypto map clientmap 200 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
ip address 173.219.88.20 255.255.255.0
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!
interface GigabitEthernet0/1
ip address 10.10.50.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
!
!
ip local pool vpn 172.16.4.0 172.16.4.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 173.219.88.1
ip route 172.16.4.0 255.255.255.0 173.219.88.1
!
ip access-list extended VPN
permit ip 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255
deny ip any any log
!
access-list 101 permit ip 10.10.50.0 0.0.0.255 any
!
08-08-2012 11:21 PM
You have to exclude your VPN-traffic from being NATted. With your config the traffic gets sent to the internal host, the answers come back to the router where they are NATted to your public IP. After that they don't match the crypto-definition any more. So exclude that traffic (intLAN-> VPN) in your ACL 101.
And in your ACL VPN, only the first line is needed.
Sent from Cisco Technical Support iPad App
08-09-2012 02:41 AM
You must rewrite ACL 101 as this:
access-list 101 deny 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 101 permit ip 10.10.50.0 0.0.0.255 any
and I see:
ip access-list extended VPN
permit ip 10.10.50.0 0.0.0.255 172.16.4.0 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255
In this ACL,
permit ip 172.16.4.0 0.0.0.255 10.10.50.0 0.0.0.255
not need
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide