Hi,
I've configured my Cisco 851 as a EZVPN server. The client with Cisco VPN Client 5.0.07 can correctly connect through VPN, but can only ping the router. No access at the local LAN or Internet. I want that ALL the traffic pass through VPN tunnel.
Can someone help me? I've tried all the solutions I found in internet, but still won't work!!!
The Cisco 851 is connected by Fa4 in a router (ip 192.168.1.1) supplied by my Internet Provider, that act as a dns server and firewall, I've already opened the necessary ports for VPN, in fact the clients outside the network can connect by VPN on the Cisco 851.
The scenario I want to obtain is: the VPN's client can access both on network 192.168.1.0/24 (ISP LAN) and 10.1.0.0/24 (Cisco LAN) and obviously in Internet.
Now when i lunch and connect a client through VPN, its can only ping the Cisco 851 and the 192.168.1.1 router, no other, when I'm on VPN can also login in Cisco 851 using telnet, this make me sure that VPN works.
Please help me!
Here is the Cisco 851 configuration:
Router#sh run
Building configuration...
Current configuration : 2486 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$XpLw$Llwm97ymCQkmt1nPjuR1
enable password ijkkjjkjlk
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization network GROUP local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1
!
ip dhcp pool sdm-pool1
network 10.1.0.0 255.255.255.0
dns-server 192.168.1.1 8.8.8.8
default-router 10.1.0.1
!
!
ip cef
ip name-server 192.168.1.1
ip name-server 8.8.8.8
!
!
!
username stefano password 0 cisco
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 7200
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group EZVPN
key Cisco123
dns 192.168.1.1
pool EZVPN_POOL
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 192.168.1.240 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
!
interface Vlan1
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool EZVPN_POOL 10.10.0.10 10.10.0.20
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet4 overload
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password klnkmkl
!
scheduler max-task-time 5000
end
