Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
4
Replies

I can't access my LAN by vpn from internet

israel2017
Level 1
Level 1

‎10-17-2017 12:51 PM - edited ‎03-12-2019 04:38 AM

Hi, every one

I am configuring a router in order to allow remote access for nomade. My problem is that i cant't access the Lan

 

here is my router configuration

ROUTEUR_V#sh run
Building configuration...

Current configuration : 2619 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTEUR_V
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.8.1
ip dhcp excluded-address 192.168.8.3
ip dhcp excluded-address 192.168.8.4
ip dhcp excluded-address 192.168.8.5
!
ip dhcp pool vlan1
 network 192.168.8.0 255.255.255.0
 default-router 192.168.8.1
 dns-server xx.xx.xx.xx
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ2032C180
!
!
username user password 7 1511021F0725
!
!
!
!
!
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key cisco123
 dns 8.8.8.8
 domain fusion.local
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address xx.xx.xxx.xxx 255.255.255.240
 ip nat outside
 ip policy route-map VPN-Client
 no ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map clientmap
!
interface Vlan1
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip local pool ippool 192.168.8.3 192.168.8.5
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx
!
!
route-map VPN-Client permit 10
 match ip address 144
 set ip next-hop xx.xx.xxx.xxx
!
access-list 101 permit ip any any
access-list 144 permit ip 192.168.8.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
!
end

 

thanks

Labels:
0 Helpful
4 Replies 4

mikael.lahtela
Level 4
Level 4

‎10-17-2017 01:32 PM

Hi,

Not sure but here is what I think:
You are telling router to NAT everything outgoing with this:
- ip nat inside source list 101 interface FastEthernet4 overload
- access-list 101 permit ip any any

Try and add a deny rule above the permit rule in acl 101 with source any and destination to your vpn network to not NAT traffic to your vpn client.

br, Micke
0 Helpful

israel2017
Level 1
Level 1
In response to mikael.lahtela

‎10-18-2017 12:52 AM

Thanks Micke
I will try the solution
0 Helpful

israel2017
Level 1
Level 1
In response to israel2017

‎10-18-2017 03:53 AM

Hi,
I have updated my configuration, here is the new one :
ROUTEUR_V#sh run
Building configuration...

Current configuration : 2824 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTEUR_V
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.8.1
ip dhcp excluded-address 192.168.8.3
ip dhcp excluded-address 192.168.8.4
ip dhcp excluded-address 192.168.8.5
!
ip dhcp pool vlan1
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
dns-server 81.91.236.71
!
!
!
ip cef
no ipv6 cef
!
parameter-map type urlf-glob facebook
pattern facebook.com
pattern *.facebook.com

!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ2032C180
!
!
username user password 7 1511021F0725
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 8.8.8.8
domain aubaine.local
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address xx.xxx.xxx.xxx
ip nat outside
no ip virtual-reassembly in
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool ippool 192.168.1.1 192.168.1.6
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop xx.xxx.xxx.xxx
!
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end

But still i got this error
*Oct 18 09:46:11.509: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /255.255.255.255, src_addr= 192.168.1.1, prot= 17
0 Helpful

israel2017
Level 1
Level 1
In response to israel2017

‎10-18-2017 06:28 AM

Please, somebody help me

0 Helpful
Customers Also Viewed These Support Documents