Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
1
Replies

Help with Easy VPN and NAT access list

jterveer84
Level 1
Level 1

‎01-03-2013 08:36 PM

I need to allow user access to the LAN when they connect to the VPN on the T1 interface. The router is also hosting NAT but I don't need the VPN tunnel to allow NAT for the connected users.

Local Lan

10.61.1.x     255.255.255.0

10.61.3.x     255.255.255.0

--------------Running Config--------------------

crypto isakmp client configuration group --Removed

key ----REMOVED---

pool SDM_POOL_2

acl 102

max-users 10

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group SnowMaking

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

interface GigabitEthernet0/0

description $ES_LAN$$ETH-LAN$$FW_INSIDE$

ip address 10.61.1.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0:0

description $FW_OUTSIDE$

ip address (Public.IP) 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

encapsulation ppp

!

interface Virtual-Template1 type tunnel

ip unnumbered Serial0/0/0:0

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

ip local pool SDM_POOL_2 10.61.10.2 10.61.10.12

ip forward-protocol nd

!

no ip http server

ip http access-class 98

ip http authentication local

ip http secure-server

!

ip nat pool local_lan 10.61.1.1 10.61.1.255 netmask 255.255.255.0

ip nat inside source static tcp 10.61.1.232 80 interface Serial0/0/0:0 80 (port forwarding for a single pc)

ip nat inside source list nat interface Serial0/0/0:0 overload

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 12.86.81.89

ip route 10.61.1.0 255.255.255.0 GigabitEthernet0/0 10.61.1.1

ip route 10.61.3.0 255.255.255.0 GigabitEthernet0/0 10.61.3.1 permanent

ip route 10.61.10.0 255.255.255.0 GigabitEthernet0/0 permanent

!

ip access-list extended nat

remark CCP_ACL Category=2

permit ip 10.0.0.0 0.255.255.255 any

!

access-list 98 remark HTTP Access-class list

access-list 98 remark CCP_ACL Category=1

access-list 98 permit 10.61.1.0 0.0.0.255

access-list 98 deny   any

access-list 102 permit ip 10.61.1.0 0.0.0.255 10.61.10.0 0.0.0.255

access-list 102 permit ip 10.61.10.0 0.0.0.255 10.61.10.0 0.0.0.255

access-list 102 permit ip 10.61.3.0 0.0.0.255 10.61.10.0 0.0.0.255

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-04-2013 04:09 AM

The VPN Pool subnet should be on a completely different subnet than the inside LAN because otherwise, the internal host will try to proxy ARP for it and it will not work.

Pls configure a unique subnet for the VPN Client pool.

Eg: 192.168.88.0/24 for the vpn client pool.

Then the NAT ACL should also deny those traffic as follows so it doesn't get NATed:

ip access-list extended nat

  1 deny ip 10.0.0.0 0.255.255.255 192.168.88.0 0.0.0.255

Then you would also need to change your split tunnel ACL 102 to be as follows:

access-list 102 permit ip 10.61.1.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 102 permit ip 10.61.10.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 102 permit ip 10.61.3.0 0.0.0.255 192.168.88.0 0.0.0.255

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents