Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1820
Views
0
Helpful
9
Replies

Cannot access remote resources - Cisco VPN Client

Go to solution
Chris Johnson
Level 1
Level 1

‎02-25-2011 07:23 PM

I am having an issue with my Cisco VPN Client. I am new to VPN setup, so this is probably something easy I am missing. I have a 2611XM router acting as my internet gateway for my local lan, and my VPN Server. I am doing all my testing from a company laptop with a mobile broadband card. The VPN will connect, but anytime I ping anything within the inside network, it comes back with the public IP of the outside interface. I have NAT overload configured so everything on the inside network can access the internet, which it looks like might be causing my problem. I just do not know how to fix it. My running config is attatched. Does anyone know what could be going on.

Oh, almost forgot to add. When i remove the nat overload on my fa0/1 interface, the vpn will connect to any resource on the inside.

Labels:
82255-2611 vpn server.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-25-2011 07:28 PM

Your nat configuration seems to be causing the issue. If your are using an ACL to match the source for the NAT then it will ne necessary to add as line 1 a deny for the ip local pool of your vpn clients to any. try that to see how it goes.

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to Chris Johnson

‎02-26-2011 12:16 PM

Hi Chris,

No no. It should be like below.

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 any

30 permit ip 192.168.2.0 0.0.0.255 any

40 permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source list Public_ACL interface FastEthernet0/1 overload

Please rate if this helps

Thanks,

kasi

View solution in original post

0 Helpful
9 Replies 9

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-25-2011 07:28 PM

Your nat configuration seems to be causing the issue. If your are using an ACL to match the source for the NAT then it will ne necessary to add as line 1 a deny for the ip local pool of your vpn clients to any. try that to see how it goes.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1

‎02-26-2011 10:41 AM

Hi Chris,

Whats happening is traffic destined to the VPN clients (10.10.10.0/24) are being natted out to the public IP. Also you have standard ACL in place to match the interesting traffic for PAT. Remove the standard ACL entry and add a Extended ACL entry so that you can deny the traffic destined to the VPN clients.


Example:

ip access-list extended PAT_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit blah blah

30 permit blah blah

Please rate if this helps.

Thanks,

Kasi

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1
In response to Kasiraman S

‎02-26-2011 11:59 AM

Thanks! I will try that. So what i need is something like this....

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip any 192.168.1.0 0.0.0.255

30 permit ip any 192.168.2.0 0.0.0.255

40 permit ip any 192.168.3.0 0.0.0.255

I will give that a shot now and post back shortly!

Chris

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to Chris Johnson

‎02-26-2011 12:16 PM

Hi Chris,

No no. It should be like below.

ip access-list extended Public_ACL

10 deny ip any 10.10.10.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 any

30 permit ip 192.168.2.0 0.0.0.255 any

40 permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source list Public_ACL interface FastEthernet0/1 overload

Please rate if this helps

Thanks,

kasi

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1
In response to Kasiraman S

‎02-26-2011 01:00 PM

You both nailed it! Thanks so much. Just a note, to get the internet working again on my PC on the inside network, i had

to add a permit any any at the end. I think I understand a bit more why this needed an extended list instead of a standard.

Chris

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to Chris Johnson

‎02-26-2011 01:07 PM

I cant understand one thing. Are you trying to access the internet from the VPN client PC from remote location or from the Local PC sitting in the local site. If it is a lcoal PC can you tell me the IP address of the PC?

Thanks,

Kasi

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1

‎02-26-2011 04:40 PM

From local pc in local site. Ip is 192.168.2.100, do you want me to send the access list I added to the router?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to Chris Johnson

‎02-26-2011 08:50 PM

Looks like the PC IP is part of the ACL we defined in the previous post and its matches the sequence 30. Also if you add permit any any at the end will allow all inside ip to be natted to the outside IP. please post your acl entries.

Thanks,

Kasi

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1
In response to Kasiraman S

‎02-27-2011 09:05 AM

I think I figured this out. I had the source and destination fields backwards in my ACL. Instead of having 192.168.1.0 first as a source, I had it marked as anything going to that destination. All of my subnets were set this way in the ACL i setup, so naturally, all source subnets I wanted natted were denied.

I will post the ACL in a few minutes, I am acutally in the process of changing routers. I got a 2801 I am changing to so I can use the 2611 for testing only.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents