cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1558
Views
0
Helpful
9
Replies
Chris Johnson
Beginner

Cannot access remote resources - Cisco VPN Client

I am having an issue with my Cisco VPN Client. I am new to VPN setup, so this is probably something easy I am missing. I have a 2611XM router acting as my internet gateway for my local lan, and my VPN Server. I am doing all my testing from a company laptop with a mobile broadband card. The VPN will connect, but anytime I ping anything within the inside network, it comes back with the public IP of the outside interface. I have NAT overload configured so everything on the inside network can access the internet, which it looks like might be causing my problem. I just do not know how to fix it. My running config is attatched. Does anyone know what could be going on.

Oh, almost forgot to add. When i remove the nat overload on my fa0/1 interface, the vpn will connect to any resource on the inside.

2 ACCEPTED SOLUTIONS

Accepted Solutions
PAUL GILBERT ARIAS
Contributor

Your nat configuration seems to be causing the issue. If your are using an ACL to match the source for the NAT then it will ne necessary to add as line 1 a deny for the ip local pool of your vpn clients to any. try that to see how it goes.

Sent from Cisco Technical Support iPhone App

View solution in original post

Hi Chris,

No no. It should be like below.

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 any

30 permit ip 192.168.2.0 0.0.0.255 any

40 permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source list Public_ACL interface FastEthernet0/1 overload

Please rate if this helps

Thanks,

kasi

View solution in original post

9 REPLIES 9
PAUL GILBERT ARIAS
Contributor

Your nat configuration seems to be causing the issue. If your are using an ACL to match the source for the NAT then it will ne necessary to add as line 1 a deny for the ip local pool of your vpn clients to any. try that to see how it goes.

Sent from Cisco Technical Support iPhone App

View solution in original post

Kasiraman S
Beginner

Hi Chris,

Whats happening is traffic destined to the VPN clients (10.10.10.0/24) are being natted out to the public IP. Also you have standard ACL in place to match the interesting traffic for PAT. Remove the standard ACL entry and add a Extended ACL entry so that you can deny the traffic destined to the VPN clients.


Example:

ip access-list extended PAT_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit blah blah

30 permit blah blah

Please rate if this helps.

Thanks,

Kasi

Thanks! I will try that. So what i need is something like this....

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip any 192.168.1.0 0.0.0.255

30 permit ip any 192.168.2.0 0.0.0.255

40 permit ip any 192.168.3.0 0.0.0.255

I will give that a shot now and post back shortly!

Chris

Hi Chris,

No no. It should be like below.

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 any

30 permit ip 192.168.2.0 0.0.0.255 any

40 permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source list Public_ACL interface FastEthernet0/1 overload

Please rate if this helps

Thanks,

kasi

View solution in original post

You both nailed it! Thanks so much. Just a note, to get the internet working again on my PC on the inside network, i had

to add a permit any any at the end. I think I understand a bit more why this needed an extended list instead of a standard.

Chris

I cant understand one thing. Are you trying to access the internet from the VPN client PC from remote location or from the Local PC sitting in the local site. If it is a lcoal PC can you tell me the IP address of the PC?

Thanks,

Kasi

Chris Johnson
Beginner

From local pc in local site. Ip is 192.168.2.100, do you want me to send the access list I added to the router?

Sent from Cisco Technical Support iPhone App

Looks like the PC IP is part of the ACL we defined in the previous post and its matches the sequence 30. Also if you add permit any any at the end will allow all inside ip to be natted to the outside IP. please post your acl entries.

Thanks,

Kasi

I think I figured this out. I had the source and destination fields backwards in my ACL. Instead of having 192.168.1.0 first as a source, I had it marked as anything going to that destination. All of my subnets were set this way in the ACL i setup, so naturally, all source subnets I wanted natted were denied.

I will post the ACL in a few minutes, I am acutally in the process of changing routers. I got a 2801 I am changing to so I can use the 2611 for testing only.

创建
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad