October 7, 2008 07:53pm pdt

1. lrmoore 100,040
2. batry_boy 67,460
3. RobWill 31,300
4. arnold 23,500
5. dpk_wal 20,075
6. ebjers 16,130
7. Voltz-dk 14,920
8. rsivanandan 12,675
9. mkielar 12,500
10. MrHusy 11,000
11. Cyclops3... 10,900
12. harbor235 10,000
13. SteveH_UK 9,000
14. mwecom... 7,985
15. trinak96 7,865
16. _jesper_ 7,375
17. Qlemo 6,840
18. AugustTen 6,500
19. decoleur 6,000
20. PeteLong 5,975
21. Quori 5,500
22. Jay_Gridley 5,000
23. stuknhaw... 4,950
24. keith_ala... 4,700
24. from_exp 4,700

1. lrmoore 359,382
2. RobWill 186,524
3. batry_boy 113,835
4. richrumble 111,117
5. rsivanandan 58,392
6. ahoffmann 44,523
7. arnold 36,760
8. Cyclops3... 35,775
9. grblades 35,012
10. pseudocy... 34,059
11. dpk_wal 30,075
12. harbor235 28,398
13. tim_holman 27,445
14. kbbcnet 26,524
15. ebjers 25,140
16. decoleur 25,014
17. Tolomir 23,651
18. sciwriter 23,050
19. keith_ala... 22,600
20. giltjr 22,145
21. Voltz-dk 21,520
22. calvinetter 20,950
23. PowerIT 20,560
24. chris_cal... 19,770
25. trinak96 18,365

04.30.2008 at 11:41PM PDT, ID: 23367777

	[x] Attachment Details

Cisco Easy VPN 877-M cannot access NAT network

Asked by rweatherley in IPSec Security Protocol, Network Routers, Virtual Private Networking (VPN)

Tags: Cisco, Router, 877-M, Easy VPN IOS IPSec NAT

I have a Cisco 877-M with IOS 12.4(11)XJ3, Advanced IP Services and 28MB flash. I have set up the router as an Easy VPN Server. The client is Cisco VPN Client 4.9.0.1 (0030). The router has a static IP facing the Internet and a PAT subnet. Cisco VPN client can connect from the Internet but cannot ping or access any services in the PAT network (10.1.1.0/24). I have read dozens of examples from Cisco, this site and many other places. I have tried "old style" crypto maps and newer VTI/Loopback configurations. The VPN client shows a secured route to 10.1.1.0. Packets to 10.1.1.0 are clearly going through the tunnel but are not returning. The VPN client indicates that transparent tunneling is inactive.

I use the same VPN client to access other external VPNs with no problem. I have tried a different VPN client with the same results.

The obfuscated config is attached. Any help gratefully received.

Thanks
RichardStart Free Trial

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:

           
           
             version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router-0-1-1-10
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 65535
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.32
!
ip dhcp pool vlan5
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1 
   dns-server 1.2.3.4 2.3.4.5
   domain-name xxx
   lease 30
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name galexia.com
ip name-server 1.2.3.4
ip name-server 2.3.4.5
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-518333447
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-518333447
 revocation-check none
 rsakeypair TP-self-signed-518333447
!
!
crypto pki certificate chain TP-self-signed-518333447
 certificate self-signed 01
...
  quit
!
!
username admin privilege 15 view SDM_Administrator password 7 xxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp keepalive 60 10
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group staff
 key 6 xxx
 pool SDM_POOL_1
 acl 100
crypto isakmp profile sdm-ike-profile-1
   match identity group staff
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 86400
 set transform-set ESP-AES256-SHA 
 set isakmp-profile sdm-ike-profile-1
!
interface Loopback0
 description Loop0 to provide unnumbered addressing to VPN$FW_INSIDE$  
 ip address 10.1.2.1 255.255.255.0
 ip access-group 115 in
!
interface Null0
 no ip unreachables
!
interface ATM0
 description --- ADSL ---
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 8/35 
  tx-ring-limit 3
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto 
!
interface FastEthernet0
 switchport access vlan 5
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip access-group 115 in
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
! NAT network
interface Vlan5
 description Internal NAT LAN$FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
! Obfuscated static Internet address 3.4.5.6
interface Dialer0
 description --- ADSL ---$FW_OUTSIDE$
 ip address negotiated
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp chap hostname xxx
 ppp chap password 7 xxx
!
ip local pool SDM_POOL_1 10.1.3.1 10.1.3.254
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
 top 25
 sort-by bytes
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
logging 10.1.1.4
access-list 20 permit 10.1.1.0 0.0.0.255
access-list 20 deny   any log
! Set VPN route to 10.1.1.0 (crypto isakmp client configuration group staff)
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
! Block VPN traffic from being NATted
access-list 102 deny   ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! For testing purposes let everything through
access-list 115 permit ip any any
no cdp run
!
route-map nonat permit 10
 match ip address 102
!
control-plane
!
line con 0
 no modem enable
 terminal-type vt100
 length 25
 stopbits 1
line aux 0
line vty 0 4
 access-class 20 in
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 1.2.3.4
end

           
         

Keywords: Cisco Easy VPN 877-M cannot acc…

	Title
1	Cisco PIX VPN and NAT
2	VPN SPLIT TUNNELING CONFIGURATIO…
3	Cisco SSL VPN - NAT problems
4	VPN Split Tunneling - Cisco ASA 5505
5	Cisco ASA interface issues with VPN
6	Cisco ASA 5510 site to site VPN tu…

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_2_20070628

Cisco Easy VPN 877-M cannot access NAT network

Asked by rweatherley in IPSec Security Protocol, Network Routers, Virtual Private Networking (VPN)

Tags: Cisco, Router, 877-M, Easy VPN IOS IPSec NAT

About this solution