06-21-2003 05:33 AM - edited 02-21-2020 12:37 PM
I have Cisco 2611XM router on Central site with two FastEthernet interfaces?xa;(FastEthernet0/0 and FastEtherne0/1). FE0/0 has private ip address?xa;192.168.1.1/24 and it connects on LAN 192.168.1.0/24. FE0/1 has public?xa;address x.x.x.x/30 and its connects to Internet. On this router there is NAT?xa;with overload.?xa;This router has to give remote access clients with Cisco VPN client over?xa;Internet to LAN and in the same time local users access to Internet.?xa;I have made a config which establish tunnel between clients and router but?xa;I can not ping any devices on local LAN.?xa;Also the router needs give access and remote LAN in site-to-site scenarios?xa;
I can establish tunnel between my PC and router via dial-up connection over Internet. But when the tunnel is established I cannot ping any public IP address except my public IP address on the router. I can ping any other Clients who has the ip address from the pool for the clients.
Solved! Go to Solution.
06-22-2003 11:02 PM
Adding the route-map nonat should not make you lose the connection to the router.
The commands that you'll need to put in are
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
You'll have to either clear the nat translations or take off the commands "ip nat outside" and "ip nat inside" temporarily while you are taking the following command off
no ip nat inside source list 7 pool internet overload
and add the command
ip nat inside source route-map nonat pool internet overload
Make sure you reapply the "ip nat inside" and "ip nat outside" commands back else your internal users will not be able to go out to the internet.
You can lookup this config in the link which Glenn has sent you -
http://www.cisco.com/warp/public/707/ios_D.html
I've pasted the lines which you should be looking at in the sample config below
!--- Except the private network and VPN Client traffic from the NAT process.
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
!--- Except the private network and VPN Client traffic from the NAT process.
route-map nonat permit 10
match ip address 110
--- Except the private network and VPN Client traffic from the NAT process.
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Thanks
Ranjana
06-22-2003 09:46 PM
Sounds like you're not denying the crypto traffic from the NAT process. Keep in mind that NAT happens BEFORE encryption within the router, so if you're doing NAt overload, you need to stop the router from NAT'ing the IPSec traffic.
Here's a good example (http://www.cisco.com/warp/public/707/ios_D.html), showing a LAN-to-LAN tunnel and an older version of the client. check out the NAT commands in particular, and their reference to access-list 110. Access-list denies the NAT'ing of traffic from the local network to the L2L remote network and to the pool of address assigned to the VPN clients, but allows the NAT'ing of the local traffic if it goes anywhere else (to the Internet).
06-22-2003 10:03 PM
Hi,
Please find the answers to your queries
1. Access to your Internal network once the vpn tunnel is established
You'll have to make sure that the vpn traffic does not get NATed. You could create a route-map to bypass NAT
For example if you the client pool defined on your router is a 10.1.1.1 -10.1.1.x
and your internal network is 192.168.1.0/24 then you can configure the following
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat 10
match ip address 101
Change your nat statement to
ip nat inside source route-map nonat
if you have a nat pool defined replace the
2. Once tunnel is established you cannot ping any public address
You'll need to enable split tunnelling. The sample config can be found at
Thanks
Ranjana
06-22-2003 10:34 PM
this is my config file
-------
Current configuration : 1863 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2611XM
!
enable secret 5 $1$CJ.F$XtuSBlPaR7kaMkGvRw.eK0
enable password xxxxx
!
username test password 0 test
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key cisco123
dns 192.168.1.100
domain cpn.vwg
pool ippool
acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet0/1
ip address xxx.yyy.zzz.www 255.255.255.252
ip nat outside
no ip mroute-cache
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.1.1.100 10.1.1.200
ip nat pool internet xxx.yyy.zzz.www xxx.yyy.zzz.www prefix-length 30
ip nat inside source list 7 pool internet overload
ip classless
ip route 0.0.0.0 0.0.0.0 195.222.36.201
ip route 10.112.192.0 255.255.192.0 192.168.1.101
ip http server
!
!
access-list 7 permit 192.168.1.0 0.0.0.255
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password proba
!
!
end
-------
I can establish tunnel and ping any clienet device who connects with VPN. (10.1.1.1xx) . Also I can ping 192.168.1.1 but I get replay from my public address xxx.yyy.zzz.www(?).
I tried with route-map nonat but when I put route-map nonat 10 (I configure router online) I lost my connection. So I am not sure it will resolve my problem.
pls look in my config and tell me what i have to do because it relly urgent.
thanks
06-22-2003 11:02 PM
Adding the route-map nonat should not make you lose the connection to the router.
The commands that you'll need to put in are
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
You'll have to either clear the nat translations or take off the commands "ip nat outside" and "ip nat inside" temporarily while you are taking the following command off
no ip nat inside source list 7 pool internet overload
and add the command
ip nat inside source route-map nonat pool internet overload
Make sure you reapply the "ip nat inside" and "ip nat outside" commands back else your internal users will not be able to go out to the internet.
You can lookup this config in the link which Glenn has sent you -
http://www.cisco.com/warp/public/707/ios_D.html
I've pasted the lines which you should be looking at in the sample config below
!--- Except the private network and VPN Client traffic from the NAT process.
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
!--- Except the private network and VPN Client traffic from the NAT process.
route-map nonat permit 10
match ip address 110
--- Except the private network and VPN Client traffic from the NAT process.
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Thanks
Ranjana
06-23-2003 12:55 AM
whena I try remove "no ip nat inside source list 7 pool internet overload "
I got the message: "Dynamic mapping in use, cannot remove"
(I put no ip nat inside and no ip nat outside)
06-23-2003 02:34 AM
thanks a lot Ranjana
it works now
06-22-2003 10:52 PM
sorry I've forgotten this line in config
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide