Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
7
Replies

Remote Access VPN ping and nat blocked to and from tunnel vpn

r_m
Level 1
Level 1

‎03-29-2020 01:14 PM

Hi everyone, I generated a Remote Vpn with ISR897va:

- I can connect the external client;

- I can ping from external to router and from router to client connected to the vpn tunnel;

- I cannot ping between internal client and external client;

- Also when I connect the vpn client loses internet connection.
Thank you all

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎03-29-2020 01:33 PM

Hi,
I imagine the problem is either NAT or ACL.
Ensure that traffic from your VPN Pool to your local LAN networks is not natted.
You will need to ensure the VPN Pool is included in the NAT ACL.

Please provide your configuration so we can determine what the exact issue is.

HTH
0 Helpful

r_m
Level 1
Level 1
In response to Rob Ingram

‎03-29-2020 02:34 PM

Hi, thanks for the help, I tried to add routing and acl but without success.
I attach the clean configuration.
Thanks again

Preview file
8 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to r_m

‎03-29-2020 02:44 PM

In your "nat-list" ACL, you have your deny ACE under the permit, which basically means the deny is doing nothing. Place the deny statement above the permit to ensure it works as expected. You'll probably need "ip nat inside" defined on the virtual-template for internet access.

You appear to have ZBFW configured, disable this until you've got the NAT working as expected to make sure you aren't inadvertently blocked traffic. Once you have established connectivity, then re-enable.
0 Helpful

r_m
Level 1
Level 1
In response to Rob Ingram

‎03-30-2020 01:50 PM

Hi, with the attached configuration I ping from the inside to the vpn and reverse but still nothing nat.

Preview file
8 KB
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to r_m

‎03-31-2020 12:28 AM

Hi,

 

    1. Use the following config for NAT:

 

object-group network vpn_pool

 192.168.100.0 255.255.255.0

!

ip access-list extended nat-list

 no permit ip object-group local_lan_subnets any

 deny ip object-group local_lan_subnets object-group vpn_pool

 permit ip object-group local_lan_subnets any

 

 

    2. Temporarily remove your ZBFW configuration (just remove "zone-member" commands from the interface. Also, your ZBFW policy doesn't really make sense, as within your first class-map you're already inspecting everything, based on the used ACL. Anyways, this is a further discussion, once NAT is fixed. Usually, a simple ZBFW policy would mean that you inspect all TCP, UDP and ICMP from LAN-->WAN, and restrict it the other way around, from WAN-->LAN.

 

Regards,

Cristian Matei.

0 Helpful

r_m
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 06:42 AM

Hi, thanks for the reply, I attach the last configuration but I still don't get Nat.
I'm definitely doing something wrong.
Regards

Preview file
8 KB
0 Helpful

r_m
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 06:48 AM

Hi, I have now found the error, it was missing:

 

permit ip object-group vpn_remote_subnets any

 

Thanks for everything.
A greeting

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents