Hi everyone, I generated a Remote Vpn with ISR897va:
- I can connect the external client;
- I can ping from external to router and from router to client connected to the vpn tunnel;
- I cannot ping between internal client and external client;
- Also when I connect the vpn client loses internet connection.
Thank you all
1. Use the following config for NAT:
object-group network vpn_pool
ip access-list extended nat-list
no permit ip object-group local_lan_subnets any
deny ip object-group local_lan_subnets object-group vpn_pool
permit ip object-group local_lan_subnets any
2. Temporarily remove your ZBFW configuration (just remove "zone-member" commands from the interface. Also, your ZBFW policy doesn't really make sense, as within your first class-map you're already inspecting everything, based on the used ACL. Anyways, this is a further discussion, once NAT is fixed. Usually, a simple ZBFW policy would mean that you inspect all TCP, UDP and ICMP from LAN-->WAN, and restrict it the other way around, from WAN-->LAN.
Hi, I have now found the error, it was missing:
permit ip object-group vpn_remote_subnets any
Thanks for everything.