Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
10
Replies

No Local Lan Access

Go to solution
FreddyLoi
Level 1
Level 1

‎01-17-2011 02:34 AM

Hi

I have set up a RA VPN to cisco 871 router, i am able to connect, but i don't seem

to have any local lan access, and i am not able to connect to the internet.


I also configured the router as a dmvpn spoke, this is working as desired.

If anyone has an idee, please inform me, i attached the running configuration.

Thank You

Labels:
78776-runconf.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sean_evershed
Level 7
Level 7

‎01-17-2011 03:44 AM

Hi,

I suggest that you consult the following configuration guide that outlines split tunneling

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Is this the only subnet that you want to be encrypted?

ip access-list extended splitremote
  permit ip 192.168.254.0 0.0.0.255 any

If so this ACL has not been applied in the crypto isakmp client configuration group configuration. Check the guide for details.

Also your NAT config is incomplete:

ip access-list extended NAT

The guide also explains how to exclude the VPN pool from being NATed.

See below from the guide:


!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111 
!--- and gets PATed with the FastEthernet IP address.


ip nat inside source list 111 interface FastEthernet1/0 overload
!

!--- The access list is used to specify which traffic 
!--- is to be translated for the outside Internet.
 

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

Please remember to rate all posts that are helpful.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-17-2011 03:44 AM

You would need to configure NAT exemption for traffic between the local LAN towards the VPN ip pool subnet.

Currently you have the following:

ip nat inside source list 1 interface FastEthernet4 overload

ACL 1 is used for PAT traffic from LAN towards the Internet.

That needs to be changed to the following:

access-list 110 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255

access-list 110 permit ip 192.168.254.0 0.0.0.255 any

ip nat inside source list 110 interface FastEthernet4 overload

Then remove the existing NAT statement:

no ip nat inside source list 1 interface FastEthernet4 overload

If you would like to access the Internet while connected via VPN, you can configure split tunneling as follows:

access-list 120 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255

crypto isakmp client configuration group AKK

     acl 120

That should resolve both your issues. Hope that helps.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
sean_evershed
Level 7
Level 7

‎01-17-2011 03:44 AM

Hi,

I suggest that you consult the following configuration guide that outlines split tunneling

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Is this the only subnet that you want to be encrypted?

ip access-list extended splitremote
  permit ip 192.168.254.0 0.0.0.255 any

If so this ACL has not been applied in the crypto isakmp client configuration group configuration. Check the guide for details.

Also your NAT config is incomplete:

ip access-list extended NAT

The guide also explains how to exclude the VPN pool from being NATed.

See below from the guide:


!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111 
!--- and gets PATed with the FastEthernet IP address.


ip nat inside source list 111 interface FastEthernet1/0 overload
!

!--- The access list is used to specify which traffic 
!--- is to be translated for the outside Internet.
 

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

Please remember to rate all posts that are helpful.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-17-2011 03:44 AM

You would need to configure NAT exemption for traffic between the local LAN towards the VPN ip pool subnet.

Currently you have the following:

ip nat inside source list 1 interface FastEthernet4 overload

ACL 1 is used for PAT traffic from LAN towards the Internet.

That needs to be changed to the following:

access-list 110 deny ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255

access-list 110 permit ip 192.168.254.0 0.0.0.255 any

ip nat inside source list 110 interface FastEthernet4 overload

Then remove the existing NAT statement:

no ip nat inside source list 1 interface FastEthernet4 overload

If you would like to access the Internet while connected via VPN, you can configure split tunneling as follows:

access-list 120 permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255

crypto isakmp client configuration group AKK

     acl 120

That should resolve both your issues. Hope that helps.

0 Helpful

Go to solution
FreddyLoi
Level 1
Level 1
In response to Jennifer Halim

‎01-17-2011 04:01 AM

Jennfifer and Sean thank you for your input, now

I can ping the default gateway of vlan 1, but I still cannot ping

other clients in the network.

If you have an idea, please te me know.

Thank You

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to FreddyLoi

‎01-17-2011 04:19 AM

Can you please share the latest configuration?

And also, the hosts that you are trying to ping, do they happen to have personal firewall enabled as it normally will block inbound connection from different subnets.

0 Helpful

Go to solution
FreddyLoi
Level 1
Level 1
In response to Jennifer Halim

‎01-17-2011 04:36 AM

I can also not see the shared folders on my servers, i just get the message

that the server is unreachable.

I have attached the running configuration.

Thank you

78797-runconf.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to FreddyLoi

‎01-17-2011 04:43 AM

What is the ip address of the shared folder? Can you access it by ip address? Is it configured to allow access from different subnets? Are you able to ping it? Can you try to telnet on port 445 to your shared folder from CMD prompt, and what is the result?

0 Helpful

Go to solution
FreddyLoi
Level 1
Level 1
In response to Jennifer Halim

‎01-17-2011 04:58 AM

Hi

The ip is 192.168.254.7, and i can't ping or telnet or do anyhing else to

connect to the servers shared folders.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to FreddyLoi

‎01-17-2011 05:02 AM

Is there any personal firewall/antivirus solution, etc on the shared folder that might be blocking the connection?

Are you able to ping any other hosts in the same subnet? Do you have a switch with VLAN interface configured in 192.168.2540/24 that you can test to see if you can ping it or telnet to it? Just want to see if it's a host problem or vpn issue?

Can you please share the output of "show cry ipsec sa" from the router?

0 Helpful

Go to solution
FreddyLoi
Level 1
Level 1
In response to Jennifer Halim

‎01-17-2011 05:10 AM

Rebooting the router did the trick, thank you for all the help.

0 Helpful

Go to solution
FreddyLoi
Level 1
Level 1
In response to Jennifer Halim

‎01-21-2011 05:04 AM

Hi

One last question, is there also a way that i can have internet trough the vpn router (without split tunneling) like

hairpinning the internet trough my VPN router at the office?

I hope you understand what I mean.

Thank you

0 Helpful
Customers Also Viewed These Support Documents