Remote access fun with Cisco 837 and locally auth'd Cisco VPN client

Hi Folks,

Through a fair amount of googling, usenet trawling and blind hacking
i've managed to get a Cisco 837 connected to the net. I'm now able to
browse the net 100% and the router has several port forwards setup to
expose a webserver along with RDP and Windows VPN services from a
Win2k3 server. Now.. while all of those work, just having windows VPN
and RDP ports exposed to the world at large isn't that secure. I'd
prefer to use the 837's VPN capabilities to access internal LAN
resources securely from anywhere on the net when i'm in the office or
away travelling.

My ISP (Nildram in the UK) allocates the router a static IP address by
DHCP. The LAN IP range is 192.168.16.1 255.255.255.0 with the router on
192.168.16.1. The Win2k3 server that I need to access is 192.168.16.250
and a LAN connected laptop has a static dhcp allocation (from the
Win2k3 server) of 192.168.16.10. I'm testing remote access with the
Cisco v4.6.00 (0045) VPN client for Macintosh by dialing the internet
on another laptop that's not connected to the internal LAN.

With my current running configuration I can connect from anywhere on
the web and authenticate as a local user with the 837. Once auth'd the
VPN client is allocated an IP from the vpn pool. From the VPN connected
laptop I can ping any address on the LAN and any other machine on the
LAN can ping the IP the VPN client has been allocated. However I cannot
access resources via all protocols on all machines. This part appears
inconcsistent and is what has me thoroughly baffled. e.g. from the VPN
client I can mount SMB shares on 192.168.16.250 but cannot see the
webserver 80) on the same IP. From the LAN laptop I can see the
webserver on the VPN client (192.168.17.x:80). However the VPN client
can't see the webserver on the LAN laptop (192.168.16.10:80).

This is my first ever contact with Cisco gear and my first experience
with a real router. I have a suspicion that the answer is somehow
related to nat forwarding and the access-lists, but this being my first
encounter with them, my brain's glazed over. Can anyone spot the
problem?

sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4

Config (security edited) is cut/pasted below:

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
logging queue-limit 100
no logging buffered
enable secret 5 xxxx
!
username xxxx password 7 xxxx
username xxxx password 7 xxxx
username xxxx password 7 xxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxx
key 0 xxxx
dns 192.168.16.250
wins 192.168.16.250
pool vpnpool
acl 106
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.16.1 255.255.255.0
ip access-group 102 in
ip nat inside
no ip mroute-cache
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7 xxxx
ppp pap sent-username password 7 xxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
hold-queue 224 in
!
ip local pool vpnpool 192.168.17.1 192.168.17.10
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.16.250 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80
ip nat inside source static tcp 192.168.16.250 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 1 remark The local LAN
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 remark Where management can be done from
access-list 2 permit 192.168.16.0 0.0.0.255
access-list 2 permit 192.168.17.0 0.0.0.255
access-list 101 remark Traffic allowed to enter router from Internet
access-list 101 permit ip any any
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any any eq 10000
access-list 101 permit gre any any
access-list 101 deny ip any any
access-list 102 remark Traffic allowed to enter router from Ethernet
access-list 102 permit ip any any
access-list 105 remark Traffic to NAT
access-list 105 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 105 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 192.168.17.0 0.0.0.255 any
access-list 106 remark User to Site VPN clients
access-list 106 permit ip 192.168.16.0 0.0.0.255 any
access-list 106 permit ip 192.168.17.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end

Obviously if there's any other screwups i've made (things that are in
that should be out and vice versa) i'd be more than happy to have them
pointed out!

-- Christian