VPN terminating on 1841 but cannot route to internal LAN?

Discussion in 'Cisco' started by StevenY, Jun 14, 2006.

  1. StevenY

    StevenY Guest

    Hi All,

    I thought i'd start a new post with my conf for both units to see if anyone
    can point me in the right direction??

    LAYOUT
    ======

    INTERNET --> SOHO97 ----> CISCO1841 ------> LAN PC2 FROM 1841 (10.11.121.1)
    ---> LAN PC1 FROM SOHO (10.11.12.1)

    FROM ROUTERS IOS I CAN PING 10.11.12.1 ---> FROM VPN CLIENT WHICH TAKES VPN
    POOL IP ADDRESS I CANNOT
    Also running newer Cisco Client App shows VPN client as IP Address from POOL
    and GATEWAY as the same IP address? Is this normal?

    EXTERNAL ROUTER 10.11.12.13 - SOHO97
    ======================================
    Router is 4 port switch with ADSL WAN
    ======================================
    10.11.12.1 PC PLUGGED INTO THIS ROUTER
    ======================================

    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static esp 10.11.12.14 interface Dialer1
    ip nat inside source static udp 10.11.12.14 500 interface Dialer1 500

    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 10.11.12.3 255.255.255.255 10.11.12.14
    ip route 10.11.12.4 255.255.255.255 10.11.12.14
    ip route 10.11.12.5 255.255.255.255 10.11.12.14
    ip route 10.11.12.14 255.255.255.255 Ethernet0
    ip route 10.11.121.15 255.255.255.255 10.11.12.14

    I've tried in here:
    ip route 10.11.12.1 255.255.255.255 Ethernet0 --- but no luck with this

    logging 10.11.12.1
    access-list 23 permit 10.11.12.0 0.0.0.255
    access-list 102 permit ip 10.11.12.0 0.0.0.255 any
    access-list 102 permit ip 10.11.121.0 0.0.0.255 any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any eq non500-isakmp host 10.11.12.14 eq
    non500-isakmp
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any time-exceeded
    access-list 111 deny icmp any any unreachable
    access-list 111 deny icmp any any echo
    access-list 111 deny icmp any any administratively-prohibited
    access-list 111 deny icmp any any packet-too-big
    access-list 111 deny icmp any any
    access-list 111 deny ip host 0.0.0.0 any log
    access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 111 deny ip 224.0.0.0 31.255.255.255 any log
    access-list 111 deny ip 255.0.0.0 0.255.255.255 any log
    access-list 111 deny ip any any log

    INTERNAL ROUTER - 1841
    ========================================
    CISCO ROUTER WITH 2 ETHERNET PORTS
    ========================================

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 3
    encr 3des
    group 2
    !
    crypto isakmp client configuration group LAPD
    key XXXXXXXXXXXX
    dns XXXXXXXXXXXX
    pool SDM_POOL_1
    include-local-lan
    max-users 4
    max-logins 4
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description OUTSIDE INTERFACE 10.11.12.14
    ip address 10.11.12.14 255.255.255.0
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    crypto map SDM_CMAP_1

    !
    interface FastEthernet0/1
    description INSIDE INTERFACE 10.11.121.15
    ip address 10.11.121.15 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled

    !
    ip local pool SDM_POOL_1 10.11.12.3 10.11.12.5
    ip route 0.0.0.0 0.0.0.0 10.11.12.13 permanent
    ip route 10.11.12.1 255.255.255.255 10.11.12.13
    !!!!---> by adding this my tracert to 10.11.12.1 from client gets to
    10.11.12.13 whereas before it times out after 10.11.12.14
    !

    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    !

    logging trap debugging
    logging 10.11.12.1

    access-list 1 remark ======== HTTPS ACCESS ========
    access-list 1 permit 10.11.121.0 0.0.0.255
    access-list 1 deny any

    access-list 100 remark ======== INSIDE INTERFACE ACL =========
    access-list 100 deny ip any host 10.11.12.3
    access-list 100 deny ip any host 10.11.12.4
    access-list 100 deny ip any host 10.11.12.5
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any

    access-list 101 remark ======== OUTSIDE INTERFACE ACL ========
    access-list 101 permit esp any host 10.11.12.14
    access-list 101 permit ahp any host 10.11.12.14
    access-list 101 permit udp any host 10.11.12.14 eq non500-isakmp
    access-list 101 permit udp any host 10.11.12.14 eq isakmp
    access-list 101 permit ip host 10.11.12.1 any
    access-list 101 permit ip host 10.11.12.3 any
    access-list 101 permit ip host 10.11.12.4 any
    access-list 101 permit ip host 10.11.12.5 any
    access-list 101 permit ip host 10.11.12.13 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit tcp any eq www any
    access-list 101 permit tcp any eq 443 any
    access-list 101 permit udp host XXXXXXXXXX eq domain any
    access-list 101 permit udp host XXXXXXXXXX eq domain any
    access-list 101 deny ip 10.11.121.0 0.0.0.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log

    access-list 102 remark ======== TELNET ACCESS ACL ========
    access-list 102 permit ip host 10.11.12.3 any
    access-list 102 permit ip host 10.11.12.4 any
    access-list 102 permit ip host 10.11.12.5 any
    access-list 102 permit ip 10.11.121.0 0.0.0.255 any
    access-list 102 deny ip any any
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 100

    Any ideas?
    Steve
     
    StevenY, Jun 14, 2006
    #1
    1. Advertising

  2. StevenY

    nirsh Guest

    Hi,

    first of all , I don't get it....who's doing the VPN ? Cisco 1841 and
    Soho or behind the Soho you have another VPN machine that does it ?

    i think your problem is in your access list for the NAT . you need the
    deny all nat to the VPN networks so you can reach them .

    -
     
    nirsh, Jun 15, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mack
    Replies:
    2
    Views:
    598
  2. Robert
    Replies:
    2
    Views:
    884
    Robert
    Jan 23, 2006
  3. ruud
    Replies:
    0
    Views:
    1,219
  4. Replies:
    3
    Views:
    643
    Brian V
    Dec 17, 2006
  5. Replies:
    9
    Views:
    5,156
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page