01-03-2013 08:36 PM
I need to allow user access to the LAN when they connect to the VPN on the T1 interface. The router is also hosting NAT but I don't need the VPN tunnel to allow NAT for the connected users.
Local Lan
10.61.1.x 255.255.255.0
10.61.3.x 255.255.255.0
--------------Running Config--------------------
crypto isakmp client configuration group --Removed
key ----REMOVED---
pool SDM_POOL_2
acl 102
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group SnowMaking
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
interface GigabitEthernet0/0
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 10.61.1.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0:0
description $FW_OUTSIDE$
ip address (Public.IP) 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0:0
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_2 10.61.10.2 10.61.10.12
ip forward-protocol nd
!
no ip http server
ip http access-class 98
ip http authentication local
ip http secure-server
!
ip nat pool local_lan 10.61.1.1 10.61.1.255 netmask 255.255.255.0
ip nat inside source static tcp 10.61.1.232 80 interface Serial0/0/0:0 80 (port forwarding for a single pc)
ip nat inside source list nat interface Serial0/0/0:0 overload
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 12.86.81.89
ip route 10.61.1.0 255.255.255.0 GigabitEthernet0/0 10.61.1.1
ip route 10.61.3.0 255.255.255.0 GigabitEthernet0/0 10.61.3.1 permanent
ip route 10.61.10.0 255.255.255.0 GigabitEthernet0/0 permanent
!
ip access-list extended nat
remark CCP_ACL Category=2
permit ip 10.0.0.0 0.255.255.255 any
!
access-list 98 remark HTTP Access-class list
access-list 98 remark CCP_ACL Category=1
access-list 98 permit 10.61.1.0 0.0.0.255
access-list 98 deny any
access-list 102 permit ip 10.61.1.0 0.0.0.255 10.61.10.0 0.0.0.255
access-list 102 permit ip 10.61.10.0 0.0.0.255 10.61.10.0 0.0.0.255
access-list 102 permit ip 10.61.3.0 0.0.0.255 10.61.10.0 0.0.0.255
01-04-2013 04:09 AM
The VPN Pool subnet should be on a completely different subnet than the inside LAN because otherwise, the internal host will try to proxy ARP for it and it will not work.
Pls configure a unique subnet for the VPN Client pool.
Eg: 192.168.88.0/24 for the vpn client pool.
Then the NAT ACL should also deny those traffic as follows so it doesn't get NATed:
ip access-list extended nat
1 deny ip 10.0.0.0 0.255.255.255 192.168.88.0 0.0.0.255
Then you would also need to change your split tunnel ACL 102 to be as follows:
access-list 102 permit ip 10.61.1.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 102 permit ip 10.61.10.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 102 permit ip 10.61.3.0 0.0.0.255 192.168.88.0 0.0.0.255
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide