«

Hi,

I've stared at this for too long and need a fresh set of eyes to
hopefully point me in the right direction. This router is performing
PAT for internet access and I'm trying to enable it as an EZVPN server.
Using the VPN client, I'm able to connect and bring up the tunnel.
However, once I'm in, I cannot pass traffic nor ping the router LAN
interface (on same subnet). Any thoughts?

Thanks for your help,
Spencer Teran


version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname igw
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxx
!
username xxx password xxx
username zzz password zzz
aaa new-model
!
!
aaa authorization network biotxvpn local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
ip domain name blah.blah
ip name-server public.ip
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group biotxvpn
key password
dns 192.168.0.11
wins 192.168.0.11
domain same.as.internal.hosts
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
!
crypto map dynmap isakmp authorization list biotxvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 209.x.x.x 255.255.255.255
ip nat outside
crypto map dynmap
!
interface FastEthernet0/0
description Ethernet LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
crypto map dynmap
!
interface Serial0/0
description Internet WAN
ip address 10.0.36.170 255.255.255.252
ip nat outside
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
crypto map dynmap
!
ip local pool dynpool 192.168.0.100 192.168.0.120
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static tcp 192.168.0.68 80 209.z.z.z 80
extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password xxx
!
!
!
end

wrote:
> Hi,
>
> I've stared at this for too long and need a fresh set of eyes to
> hopefully point me in the right direction. This router is performing
> PAT for internet access and I'm trying to enable it as an EZVPN server.
> Using the VPN client, I'm able to connect and bring up the tunnel.
> However, once I'm in, I cannot pass traffic nor ping the router LAN
> interface (on same subnet). Any thoughts?
>

I think you have to add the command "acl" under the definition of
"crypto isakmp client configuration group biotxvpn".

Smth like:

crypto isakmp client configuration group biotxvpn
key password
dns 192.168.0.11
wins 192.168.0.11
domain same.as.internal.hosts
pool dynpool
acl vpn_routes

ip access-list extended vpn_routes
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

You may have to adjust vpn_routes so that it is appropriate for your
VPN permission.

DT

Hi DT,

Thanks for your reply. Adding the ACL command under the isakmp client
config allows you to specify networks to encrypt (for split tunnel).
Without that ACL, the all traffic gets passed through the tunnel. The
problem ended up being that the NAT was translating the VPN traffic as
well. I ended up modifying the NAT ACL to deny traffic from the VPN
chunk from getting translated.

Thanks,
Spencer Teran

wrote:
> wrote:
>
>>Hi,
>>
>>I've stared at this for too long and need a fresh set of eyes to
>>hopefully point me in the right direction. This router is performing
>>PAT for internet access and I'm trying to enable it as an EZVPN server.
>> Using the VPN client, I'm able to connect and bring up the tunnel.
>>However, once I'm in, I cannot pass traffic nor ping the router LAN
>>interface (on same subnet). Any thoughts?
>>
>
>
> I think you have to add the command "acl" under the definition of
> "crypto isakmp client configuration group biotxvpn".
>
> Smth like:
>
> crypto isakmp client configuration group biotxvpn
> key password
> dns 192.168.0.11
> wins 192.168.0.11
> domain same.as.internal.hosts
> pool dynpool
> acl vpn_routes
>
> ip access-list extended vpn_routes
> permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
>
> You may have to adjust vpn_routes so that it is appropriate for your
> VPN permission.
>
> DT
>

[andu]

I think your nat list is not enough. You shoud switch to an extended one and set denys from your inside network to the remote networks and a final permit.