Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
1
Replies

Cisco - EZVPN Server - clients connect but cannot pass traffic

Arup Dutta
Level 1
Level 1

‎05-12-2010 12:59 AM

Hi,

The router is performing
PAT for internet access and I'm trying to enable it as an EZVPN server.
Using the VPN client, I'm able to connect and bring up the tunnel.
However, once I'm in, I cannot pass traffic nor ping the router LAN
interface (on same subnet).  Any thoughts?

version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname igw
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxx
!
username xxx password xxx
username zzz password zzz
aaa new-model
!
!
aaa authorization network biotxvpn local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
ip domain name blah.blah
ip name-server public.ip
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group biotxvpn
key password
dns 192.168.0.11
wins 192.168.0.11
domain same.as.internal.hosts
pool dynpool
acl vpn_routes
max-users 6
netmask 255.255.255.0
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
!
crypto map dynmap isakmp authorization list biotxvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 209.x.x.x 255.255.255.255
ip nat outside
crypto map dynmap
!
interface FastEthernet0/0
description Ethernet LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
crypto map dynmap
!
interface Serial0/0
description Internet WAN
ip address 10.0.36.170 255.255.255.252
ip nat outside
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
crypto map dynmap
!
ip local pool dynpool 192.168.0.100 192.168.0.120
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static tcp 192.168.0.68 80 209.z.z.z 80
extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
ip access-list extended vpn_routes
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
no cdp run
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password xxx
!
!
!
end



  I appratiate your help,

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-12-2010 05:53 AM

You would need to change ACL 1 assigned to the NAT translation to extended ACL to exempt the VPN traffic.

Change from the following:

ip nat inside source list 1 interface Loopback0 overload

To:

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 101 interface Loopback0 overload

no ip nat inside source list 1 interface Loopback0 overload

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents