Re: VPN Client Access to Behind 1812

Jesse Shumaker · ‎03-21-2011

I am trying to get this VPN Client (5.0.07.0410) to connect to the remote LAN behind the cisco 1812. Here is my config. I am able to get everything connected and IP assigned to the client and can even ping local LAN and Internet but can't ping to the remote LAN behind the 1812. I feel it's a routing issue or an ACL issue. Please advise.

thanks

SHUMAMKERRTR>en
Password:
SHUMAMKERRTR#sh run
Building configuration...

Current configuration : 2910 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SHUMAMKERRTR
!
boot-start-marker
boot-end-marker
!
enable secret 5 password
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.7.1 192.168.7.10
!
ip dhcp pool SHUMAKER
   network 192.168.7.0 255.255.255.0
   dns-server 192.168.7.1
   default-router 192.168.7.1
!
!
ip domain name shumaker.nothing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 secret 5 password
!
!
ip ssh rsa keypair-name SHUMAMKERRTR.shumaker.nothing
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group CRYPTOCLIENTS
key cisco123
dns 192.168.7.1
domain cisco.com
pool ippool
acl 108
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 1
description VPN Clients
set transform-set 3DES-SHA
!
!
crypto map VPNClients client authentication list userauthen
crypto map VPNClients isakmp authorization list groupauthor
crypto map VPNClients client configuration address respond
crypto map VPNClients 65535 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map VPNClients
!
interface FastEthernet0/1
ip address 192.168.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
ip local pool ippool 192.168.254.1 192.168.254.200
ip forward-protocol nd
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.7.2 1610 interface FastEthernet0/0 1610
ip nat inside source static tcp 192.168.7.2 1609 interface FastEthernet0/0 1609
ip nat inside source static tcp 192.168.7.3 6100 interface FastEthernet0/0 6100
ip nat inside source static tcp 192.168.7.2 3098 interface FastEthernet0/0 3098
ip nat inside source static tcp 192.168.7.3 3099 interface FastEthernet0/0 3099
!
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 108 permit ip 192.168.7.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 108 permit ip 192.168.254.0 0.0.0.255 192.168.7.0 0.0.0.255
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C SHUMAKER ROUTER ^C
banner motd ^C SHUMAKERS ROUTER ^C
!
line con 0
logging synchronous
line aux 0
line vty 0 4
no motd-banner
timeout login response 300
password 7 password
logging synchronous
transport preferred ssh
transport input ssh
!
!
end

SHUMAMKERRTR#

Jennifer Halim · ‎03-21-2011

Here is what you need to configure:

access-list 110 deny ip 192.168.7.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 110 permit ip 192.168.7.0 0.0.0.255 any

ip nat inside source list 110 interface FastEthernet0/0 overload

no ip nat inside source list 1 interface FastEthernet0/0 overload

And lastly clear the existing translation: clear ip nat trans *

Hope that helps.

Jesse Shumaker · ‎03-21-2011

so why do you want to deny 192.168.7.0 access to the 192.168.254 network? Whats the logic in this?

thanks I will try it

Jennifer Halim · ‎03-21-2011

You would like to deny traffic between the LAN and the VPN pool to be NATed, hence denying them from NAT.