03-15-2012 04:47 PM
Hi,
I have just set up a remote access ipsec vpn server on my cisco 887 and am experiencing an issue and was wondering if anyone would be able to help.
I can get connected to the VPN ok through the Cisco VPN client but I am unable to access the internal network. I get an IP address from the VPN pool in the 192.168.10.0 range. I am unable to ping or access the router or any other devices on the 192.168.1.0 network.
I'm sure I have just made a simple mistake as this is the first VPN I have set up. Any help would be greatly appreciated.
I have attached my config to this post
Thanks
Chris
03-15-2012 07:58 PM
Hi there,
Please remove this ACL one highlighted below.
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
Now create a new ACL.
ip access-list extended PAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT_ACL interface Dialer0 overload
Let me know, if this helps
thanks
Rizwan Rafeek
03-16-2012 06:13 AM
FYI...
Last note, please be sure to do this from inside the network or ssh/telnet to public address because when you remove both highlighted lines above, you will be disconnected all xlates.
Thanks
Rizwan Rafeek
03-16-2012 11:07 AM
Hi Rizwan,
Thanks for the reply. I applied your suggested fix but no joy. Thanks for the warning about kicking myself out, I read through the comands and thought that might happen.
Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?
Thanks
Chris
03-18-2012 02:05 AM
"Could it be due to my current local network being 192.168.1.0/24 the same as the remote network?"
Answer is no.
Try to apply the solution I suggest by temporally removing the Zone-Base Firewall and it should work and when it is working you know for sure that your ZBF is cause the problem and so trying to customize ZBF as per your need.
Hope that helps.
Thanks
Rizwan Rafeek
03-18-2012 03:10 PM
Do you know if there is an easy way to disable the firewall without removing all my firewall config?
03-18-2012 03:31 PM
Please remove three highlighted lines from three of your interfaces on the router.
interface Dialer0
zone-member security out-zone
interface Vlan2
zone-member security in-zone
interface Virtual-Template2 type tunnel
zone-member security vpn-zone
Lastly, if you have layer3 switch please make sure, you have a static-route in place on the inside switch as shown below.
ip route 192.168.10.0 255.255.255.0 192.168.1.1
If you do not have a layer3 switch inside your network, then do not worry about the static route.
thanks
Please rate helpful post.
thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: