Remote Access VPN access-list failed

bartmau93 · ‎01-21-2013

Hi everybody,

First of all, my name is Bart, a young boy of the Netherlands and my english is not my best point at this time.

At this moment im learning for my first Cisco Certificaat -> CCNA.

Last week i have configured a Cisco 881 Router.

This Router is configured for VOIP telephony and Data.

The last task was to configure the router for VPN Remote Access with VPN client.

It was my first time to build a VPN, but it was a great learning process.

At this moment:

VLAN 1 (telephony) 192.168.3.X / 24

VLAN 2 (data) 192.168.1.X / 24

VPN: 192.168.5.X / 24

Last week the VPN has correctly builded, and it is now possible to connect with VPN client to the router.

But....

i cant ping! my private network. When i'm pinging to the Default Gateway of the DATA vlan, My respons is the public IP address.

Example:

Pinging to 192.168.1.1

Answare: 1.1.1.1 bytes=32 tijd=73 ms TTL=126.

The flash of my router is:

====================

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login VPN_CLIENT_LOGIN local

aaa authorization network VPN_CLIENT_GROUP local

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-1771548405

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1771548405

revocation-check none

rsakeypair TP-self-signed-1771548405

!

crypto pki certificate chain TP-self-signed-1771548405

certificate self-signed 01

(CERTIFICATE)

quit

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

ip dhcp excluded-address 192.168.3.1

ip dhcp excluded-address 192.168.3.87

!

ip dhcp pool ccp-pool

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

lease 0 2

!

ip domain name **

ip name-server 8.8.8.8

ip cef

no ipv6 cef

!

username admin privilege 15 secret 4 **********

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp client configuration group VPN_CLIENTS

key ******

dns 192.168.1.5

pool VPN_CLIENT_POOL

acl 110

!

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

!

crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_MAP client configuration address respond

crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

switchport access vlan 2

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description WAN Verbinding

no ip address

duplex full

speed 10

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

description local-lan

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

no autostate

!

interface Vlan2

description local

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

no autostate

!

interface Dialer0

no ip address

crypto map EXT_MAP

!

interface Dialer1

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username ****** password 0 ******

crypto map EXT_MAP

!

ip local pool VPN_CLIENT_POOL 192.168.5.1 192.168.5.10

ip forward-protocol nd

ip http server

ip http secure-server

!

no ip nat service sip udp port 5060

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.5 80 interface Dialer1 80

ip nat inside source static tcp 192.168.1.5 443 interface Dialer1 443

ip nat inside source static tcp 192.168.1.8 8080 interface Dialer1 8081

ip nat inside source static tcp 192.168.1.5 3389 interface Dialer1 3389

ip nat inside source static udp 192.168.1.21 54657 interface Dialer1 54657

ip nat inside source static tcp 192.168.1.50 2000 interface Dialer1 2000

ip nat inside source static tcp 192.168.1.50 80 interface Dialer1 8082

ip nat inside source static udp 192.168.1.50 2000 interface Dialer1 2000

ip nat inside source static udp 192.168.1.50 80 interface Dialer1 8082

ip nat inside source static tcp 192.168.1.5 3101 interface Dialer1 3101

ip nat inside source static tcp 192.168.1.5 10050 interface Dialer1 10050

ip nat inside source static tcp 192.168.1.6 10051 interface Dialer1 10051

ip nat inside source static tcp 192.168.1.7 10052 interface Dialer1 10052

ip nat inside source static tcp 192.168.1.5 25 interface Dialer1 25

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended NAT

ip access-list extended nat

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

dialer-list 1 protocol ip permit

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

!

end

Jennifer Halim · ‎01-21-2013

Your NAT ACL needs to exempt the traffic between LAN and the VPN Pool as follows:

ip access-list extended 101

1 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

2 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255

Also, you would need to include 192.168.3.0/24 in your split tunnel ACL 110 if you need to access that subnet over the VPN:

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255

Hope that helps.