Help with Easy VPN and NAT access list

jterveer84 · ‎01-03-2013

I need to allow user access to the LAN when they connect to the VPN on the T1 interface. The router is also hosting NAT but I don't need the VPN tunnel to allow NAT for the connected users.

Local Lan

10.61.1.x 255.255.255.0

10.61.3.x 255.255.255.0

--------------Running Config--------------------

crypto isakmp client configuration group --Removed

key ----REMOVED---

pool SDM_POOL_2

acl 102

max-users 10

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group SnowMaking

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

interface GigabitEthernet0/0

description $ES_LAN$$ETH-LAN$$FW_INSIDE$

ip address 10.61.1.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0:0

description $FW_OUTSIDE$

ip address (Public.IP) 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

encapsulation ppp

!

interface Virtual-Template1 type tunnel

ip unnumbered Serial0/0/0:0

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_2 10.61.10.2 10.61.10.12

ip forward-protocol nd

!

no ip http server

ip http access-class 98

ip http authentication local

ip http secure-server

!

ip nat pool local_lan 10.61.1.1 10.61.1.255 netmask 255.255.255.0

ip nat inside source static tcp 10.61.1.232 80 interface Serial0/0/0:0 80 (port forwarding for a single pc)

ip nat inside source list nat interface Serial0/0/0:0 overload

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 12.86.81.89

ip route 10.61.1.0 255.255.255.0 GigabitEthernet0/0 10.61.1.1

ip route 10.61.3.0 255.255.255.0 GigabitEthernet0/0 10.61.3.1 permanent

ip route 10.61.10.0 255.255.255.0 GigabitEthernet0/0 permanent

!

ip access-list extended nat

remark CCP_ACL Category=2

permit ip 10.0.0.0 0.255.255.255 any

!

access-list 98 remark HTTP Access-class list

access-list 98 remark CCP_ACL Category=1

access-list 98 permit 10.61.1.0 0.0.0.255

access-list 98 deny any

access-list 102 permit ip 10.61.1.0 0.0.0.255 10.61.10.0 0.0.0.255

access-list 102 permit ip 10.61.10.0 0.0.0.255 10.61.10.0 0.0.0.255

access-list 102 permit ip 10.61.3.0 0.0.0.255 10.61.10.0 0.0.0.255

Jennifer Halim · ‎01-04-2013

The VPN Pool subnet should be on a completely different subnet than the inside LAN because otherwise, the internal host will try to proxy ARP for it and it will not work.

Pls configure a unique subnet for the VPN Client pool.

Eg: 192.168.88.0/24 for the vpn client pool.

Then the NAT ACL should also deny those traffic as follows so it doesn't get NATed:

ip access-list extended nat

1 deny ip 10.0.0.0 0.255.255.255 192.168.88.0 0.0.0.255

Then you would also need to change your split tunnel ACL 102 to be as follows:

access-list 102 permit ip 10.61.1.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 102 permit ip 10.61.10.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 102 permit ip 10.61.3.0 0.0.0.255 192.168.88.0 0.0.0.255

Hope that helps.