01-17-2011 02:34 AM
Hi
I have set up a RA VPN to cisco 871 router, i am able to connect, but i don't seem
to have any local lan access, and i am not able to connect to the internet.
I also configured the router as a dmvpn spoke, this is working as desired.
If anyone has an idee, please inform me, i attached the running configuration.
Thank You
Solved! Go to Solution.
01-17-2011 03:44 AM
Hi,
I suggest that you consult the following configuration guide that outlines split tunneling
Is this the only subnet that you want to be encrypted?
ip access-list extended splitremote
permit ip 192.168.254.0 0.0.0.255 any
If so this ACL has not been applied in the crypto isakmp client configuration group configuration. Check the guide for details.
Also your NAT config is incomplete:
ip access-list extended NAT
The guide also explains how to exclude the VPN pool from being NATed.
See below from the guide:
!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
Please remember to rate all posts that are helpful.
01-17-2011 03:44 AM
You would need to configure NAT exemption for traffic between the local LAN towards the VPN ip pool subnet.
Currently you have the following:
ip nat inside source list 1 interface FastEthernet4 overload
ACL 1 is used for PAT traffic from LAN towards the Internet.
That needs to be changed to the following:
access-list 110 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 permit ip 192.168.254.0 0.0.0.255 any
ip nat inside source list 110 interface FastEthernet4 overload
Then remove the existing NAT statement:
no ip nat inside source list 1 interface FastEthernet4 overload
If you would like to access the Internet while connected via VPN, you can configure split tunneling as follows:
access-list 120 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
crypto isakmp client configuration group AKK
acl 120
That should resolve both your issues. Hope that helps.
01-17-2011 03:44 AM
Hi,
I suggest that you consult the following configuration guide that outlines split tunneling
Is this the only subnet that you want to be encrypted?
ip access-list extended splitremote
permit ip 192.168.254.0 0.0.0.255 any
If so this ACL has not been applied in the crypto isakmp client configuration group configuration. Check the guide for details.
Also your NAT config is incomplete:
ip access-list extended NAT
The guide also explains how to exclude the VPN pool from being NATed.
See below from the guide:
!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
Please remember to rate all posts that are helpful.
01-17-2011 03:44 AM
You would need to configure NAT exemption for traffic between the local LAN towards the VPN ip pool subnet.
Currently you have the following:
ip nat inside source list 1 interface FastEthernet4 overload
ACL 1 is used for PAT traffic from LAN towards the Internet.
That needs to be changed to the following:
access-list 110 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 permit ip 192.168.254.0 0.0.0.255 any
ip nat inside source list 110 interface FastEthernet4 overload
Then remove the existing NAT statement:
no ip nat inside source list 1 interface FastEthernet4 overload
If you would like to access the Internet while connected via VPN, you can configure split tunneling as follows:
access-list 120 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
crypto isakmp client configuration group AKK
acl 120
That should resolve both your issues. Hope that helps.
01-17-2011 04:01 AM
Jennfifer and Sean thank you for your input, now
I can ping the default gateway of vlan 1, but I still cannot ping
other clients in the network.
If you have an idea, please te me know.
Thank You
01-17-2011 04:19 AM
Can you please share the latest configuration?
And also, the hosts that you are trying to ping, do they happen to have personal firewall enabled as it normally will block inbound connection from different subnets.
01-17-2011 04:36 AM
01-17-2011 04:43 AM
What is the ip address of the shared folder? Can you access it by ip address? Is it configured to allow access from different subnets? Are you able to ping it? Can you try to telnet on port 445 to your shared folder from CMD prompt, and what is the result?
01-17-2011 04:58 AM
Hi
The ip is 192.168.254.7, and i can't ping or telnet or do anyhing else to
connect to the servers shared folders.
01-17-2011 05:02 AM
Is there any personal firewall/antivirus solution, etc on the shared folder that might be blocking the connection?
Are you able to ping any other hosts in the same subnet? Do you have a switch with VLAN interface configured in 192.168.2540/24 that you can test to see if you can ping it or telnet to it? Just want to see if it's a host problem or vpn issue?
Can you please share the output of "show cry ipsec sa" from the router?
01-17-2011 05:10 AM
Rebooting the router did the trick, thank you for all the help.
01-21-2011 05:04 AM
Hi
One last question, is there also a way that i can have internet trough the vpn router (without split tunneling) like
hairpinning the internet trough my VPN router at the office?
I hope you understand what I mean.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide