Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
5
Helpful
2
Replies

Remote access VPN no LAN access

Go to solution
Portus92
Level 1
Level 1

‎07-16-2020 09:13 AM

 

Hi,

 

The VPN connection is working but I am not able to ping a laptop in VLAN 10 (10.0.10.11) with the remote user (192.168.50.2).

I can't ping the VPN user with the router.

 

Interface: Dialer1
Username: uservpn
Group: groupVPN
Assigned address: 192.168.50.2
Session status: UP-ACTIVE     
Peer: 1xx.1xx.183.216 port 11953 
  Session ID: 0  
  IKEv1 SA: local xx.200.170.xxx/4500 remote 1xx.1xx.183.216/11953 Active 
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.50.2 
        Active SAs: 2, origin: dynamic crypto map

 

hostname RLab
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login userVPN local
aaa authorization network groupVPN local 
!         
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
!
!

!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool VLAN100
 network 10.0.10.0 255.255.255.0
 default-router 10.0.10.1 
 dns-server 1.1.1.1 
 domain-name lab.local
!
!
!
ip domain name rlab.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxx
!
!         
username uservpn secret 5 $1$Sm4e$AcqCbzNJiTkA1LfaQH3Wo1
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group groupVPN
 key ciscogroupvpn
 pool VPNPOOL
 acl VPNACL
 include-local-lan
!         
!
crypto ipsec transform-set setVPN esp-aes esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynamicVPN 10
 set transform-set setVPN 
 reverse-route
!
!
crypto map staticMap client authentication list userVPN
crypto map staticMap isakmp authorization list groupVPN
crypto map staticMap client configuration address respond
crypto map staticMap 10 ipsec-isakmp dynamic dynamicVPN 
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.10.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 crypto map staticMap
!
ip local pool VPNPOOL 192.168.50.1 192.168.50.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh version 2
!
ip access-list extended VPNACL
 permit icmp any any
 permit ip any any
!
dialer-list 1 protocol ip permit
!
access-list 1 permit any

Do you have an idea ?

Thanks.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-16-2020 09:17 AM

Hi,
Possibly a NAT issue, modify ACL 1, ensure the first line of the ACL denies traffic from the local LAN to the VPN Pool network is denied. This will ensure traffic is not natted between those networks.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎07-16-2020 09:17 AM

Hi,
Possibly a NAT issue, modify ACL 1, ensure the first line of the ACL denies traffic from the local LAN to the VPN Pool network is denied. This will ensure traffic is not natted between those networks.

HTH

Go to solution
Portus92
Level 1
Level 1
In response to Rob Ingram

‎07-16-2020 10:03 AM

Thanks a lot !

 

access-list 100 deny   ip 10.0.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip any any

It works :)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents