cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
276
Views
0
Helpful
7
Replies
Highlighted
Beginner
Beginner

Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi everyone, I generated a Remote Vpn with ISR897va:

- I can connect the external client;

- I can ping from external to router and from router to client connected to the vpn tunnel;

- I cannot ping between internal client and external client;

- Also when I connect the vpn client loses internet connection.
Thank you all

7 REPLIES 7
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi,
I imagine the problem is either NAT or ACL.
Ensure that traffic from your VPN Pool to your local LAN networks is not natted.
You will need to ensure the VPN Pool is included in the NAT ACL.

Please provide your configuration so we can determine what the exact issue is.

HTH
Highlighted
Beginner
Beginner

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi, thanks for the help, I tried to add routing and acl but without success.
I attach the clean configuration.
Thanks again

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

In your "nat-list" ACL, you have your deny ACE under the permit, which basically means the deny is doing nothing. Place the deny statement above the permit to ensure it works as expected. You'll probably need "ip nat inside" defined on the virtual-template for internet access.

You appear to have ZBFW configured, disable this until you've got the NAT working as expected to make sure you aren't inadvertently blocked traffic. Once you have established connectivity, then re-enable.
Highlighted
Beginner
Beginner

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi, with the attached configuration I ping from the inside to the vpn and reverse but still nothing nat.

Highlighted
Collaborator

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi,

 

    1. Use the following config for NAT:

 

object-group network vpn_pool

 192.168.100.0 255.255.255.0

!

ip access-list extended nat-list

 no permit ip object-group local_lan_subnets any

 deny ip object-group local_lan_subnets object-group vpn_pool

 permit ip object-group local_lan_subnets any

 

 

    2. Temporarily remove your ZBFW configuration (just remove "zone-member" commands from the interface. Also, your ZBFW policy doesn't really make sense, as within your first class-map you're already inspecting everything, based on the used ACL. Anyways, this is a further discussion, once NAT is fixed. Usually, a simple ZBFW policy would mean that you inspect all TCP, UDP and ICMP from LAN-->WAN, and restrict it the other way around, from WAN-->LAN.

 

Regards,

Cristian Matei.

Highlighted
Beginner
Beginner

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi, thanks for the reply, I attach the last configuration but I still don't get Nat.
I'm definitely doing something wrong.
Regards

Highlighted
Beginner
Beginner

Re: Remote Access VPN ping and nat blocked to and from tunnel vpn

Hi, I have now found the error, it was missing:

 

permit ip object-group vpn_remote_subnets any

 

Thanks for everything.
A greeting