Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
5
Helpful
6
Replies

Cisco VPN Client Router 2801

Go to solution
cmiranda23
Level 1
Level 1

‎08-16-2011 03:30 PM

Hello,

I have setup a cisco 2801 router to accept vpn connections, i'm using cisco vpn client and the tunnel is created and the sa's are being created.

However i can't ping my vlan's (Only the ones that have an nat inside ACL, the ones that dont have that declared i can ping), so i have a NAT problem, just not sure where.

Heres is part of my configuration on the ACL,

ip local pool ippool 192.168.100.10 192.168.100.100

ip default-gateway X.X.X.X (ISP GATEWAY)

ip forward-protocol nd

ip http server

no ip http secure-server

ip http path flash:

!

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 2 interface FastEthernet0/1 overload

ip nat inside source list 3 interface FastEthernet0/1 overload

ip nat inside source list 6 interface FastEthernet0/1 overload

ip nat inside source list 20 interface FastEthernet0/1 overload

ip nat inside source route-map NONAT interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 X.X.X.X (Outside IP address)

ip route 192.168.10.0 255.255.255.0 192.168.90.2

ip route 192.168.20.0 255.255.255.0 192.168.90.2

ip route 192.168.30.0 255.255.255.0 192.168.90.2

ip route 192.168.40.0 255.255.255.0 192.168.90.2

ip route 192.168.50.0 255.255.255.0 192.168.90.2

ip route 192.168.60.0 255.255.255.0 192.168.90.2

ip route 192.168.200.0 255.255.255.0 192.168.90.2

!

ip access-list extended NAT

deny   ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255

deny   ip 192.168.90.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.30.0 0.0.0.255 any

permit ip 192.168.60.0 0.0.0.255 any

permit ip 192.168.90.0 0.0.0.255 any

!

access-list 1 permit 192.168.90.0 0.0.0.255

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 3 permit 192.168.30.0 0.0.0.255

access-list 6 permit 192.168.60.0 0.0.0.255

access-list 20 permit 192.168.200.0 0.0.0.255

!

route-map NONAT permit 10

match ip address NAT

!

The 192.168.90.2 address is my L3 switch (Cisco 3750)

Any pointer is more than welcomed,

Regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4

‎08-16-2011 03:44 PM

Miranda,

Have you tried removing the following lines:

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 2 interface FastEthernet0/1 overload

ip nat inside source list 3 interface FastEthernet0/1 overload

ip nat inside source list 6 interface FastEthernet0/1 overload

ip nat inside source list 20 interface FastEthernet0/1 overload

And leave just this one:

ip nat inside source route-map NONAT interface FastEthernet0/1 overload

?

I you have all the neceary permits on the NAT ACL so you dont need the individual lines for each network.

Also I noticed that your ACL 20 reads

access-list 20 permit 192.168.200.0 0.0.0.255

But your NAT ACL reads

permit ip 192.168.20.0 0.0.0.255 any

I think you have a typo there, you have a 200 on one and 20 on the other one.

Check it out and let me know how it goes. Remember to clear the NAT table after removing those lines:

clear ip nat trans *

I hope this helps!

Raga

View solution in original post

Go to solution
Todd Pula
Level 7
Level 7

‎08-16-2011 03:44 PM

Typically you will only have a single NAT overload configuration on an interface.  You can remove NAT lines 1, 2, 3, 6, and 20 leaving just the nat inside statement with the route-map.  This should address your need to bypass NAT for your return traffic towards the 192.168.100.0/24 subnet while permitting NAT for everything else.  Please also make sure that you have the "ip nat inside" and "ip nat outside" commands applied correctly to your interfaces participating in the NAT process.

Todd

View solution in original post

0 Helpful
6 Replies 6

Go to solution
raga.fusionet
Level 4
Level 4

‎08-16-2011 03:44 PM

Miranda,

Have you tried removing the following lines:

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 2 interface FastEthernet0/1 overload

ip nat inside source list 3 interface FastEthernet0/1 overload

ip nat inside source list 6 interface FastEthernet0/1 overload

ip nat inside source list 20 interface FastEthernet0/1 overload

And leave just this one:

ip nat inside source route-map NONAT interface FastEthernet0/1 overload

?

I you have all the neceary permits on the NAT ACL so you dont need the individual lines for each network.

Also I noticed that your ACL 20 reads

access-list 20 permit 192.168.200.0 0.0.0.255

But your NAT ACL reads

permit ip 192.168.20.0 0.0.0.255 any

I think you have a typo there, you have a 200 on one and 20 on the other one.

Check it out and let me know how it goes. Remember to clear the NAT table after removing those lines:

clear ip nat trans *

I hope this helps!

Raga

Go to solution
cmiranda23
Level 1
Level 1
In response to raga.fusionet

‎08-16-2011 04:17 PM

Todd,

Thank you for your prompt reply, if i remove those lines that you mention i can ping the vlan without a problem, one question though, are the users on those vlan specially the ones on vlan 10 and vlan 60 able to use the internet?

Besides that question (it might be a dumb question) everything seems to work ok

Thank you

Regards,

0 Helpful

Go to solution
cmiranda23
Level 1
Level 1
In response to cmiranda23

‎08-16-2011 04:22 PM

Luis,

Thank you for your prompt reply, when i remove those lines i can ping all my vlans from the vpp client, but my question is, can the users on the vlan 10 and vlan 60 be able to access the internet as they were doing until today?

As always you guys are great help,

I'm getting a lot of expertise on these vpn connections that i might dont need to ask so simple (dumb) questions to you guys ;-)

Regards,

0 Helpful

Go to solution
Todd Pula
Level 7
Level 7
In response to cmiranda23

‎08-19-2011 10:29 AM

Based on the configuration, the users on the 192.168.10.0 and 192.168.60.0 should have IP reachability to the Internet.  

Todd

0 Helpful

Go to solution
Todd Pula
Level 7
Level 7

‎08-16-2011 03:44 PM

Typically you will only have a single NAT overload configuration on an interface.  You can remove NAT lines 1, 2, 3, 6, and 20 leaving just the nat inside statement with the route-map.  This should address your need to bypass NAT for your return traffic towards the 192.168.100.0/24 subnet while permitting NAT for everything else.  Please also make sure that you have the "ip nat inside" and "ip nat outside" commands applied correctly to your interfaces participating in the NAT process.

Todd

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to Todd Pula

‎08-16-2011 04:46 PM

Miranda,

Just like Todd pointed pointed out just the route map with all "denys" for the traffic between your internal VLANs and the VPN pool plus the "permits" from your Internal VLANs to any should do it.

Glad we could help.

Have fun!

Luis Raga

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents