Solved

Cisco 857 - No traffic between LAN and VPN clients

Posted on 2009-04-14
2
579 Views
Last Modified: 2012-06-21
Hi there,

Having some issues, as the title suggests, with a Cisco 857 router. I have setup the VPn connection as specified in the config below, but connected clients cannot ping/reach the router or computers on the LAN.

Fairly new to Cisco so being descriptive will help a lot.

The config is as follows:

Building configuration...

Current configuration : 6582 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lon32.melbourne
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-1723353567
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1723353567
 revocation-check none
 rsakeypair TP-self-signed-1723353567
!
!
crypto pki certificate chain TP-self-signed-1723353567
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31373233 33353335 3637301E 170D3032 30333037 30323539
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37323333
  35333536 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008E30 9F16FC3F A91DE90D 7AE50743 9FD13CEC 8AFCD9F5 2B479F52 883C7B96
  70F51DF4 55E80891 387BC91D 33AF53E3 B71A4183 B268F329 FCF6DC94 CD10DD29
  CCF49AE2 CCAE30AD 980DB58B 89111EC5 D6C50983 656BEB93 B9761D29 058728D2
  CDE3450D 143C4D3C 65BBDE99 CB61F23F DDF11AD1 F4B8C655 0E375959 F41D66E4
  14130203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 141FFC16 FDCEABA5 19770891 DD9E7918 803FFE0F
  F3301D06 03551D0E 04160414 1FFC16FD CEABA519 770891DD 9E791880 3FFE0FF3
  300D0609 2A864886 F70D0101 04050003 8181005E 07257B1E ADD3593D 6D7D3EF5
  25002E8C 4919BB3D 2A224361 F4F11290 956E11A8 242AD485 E55E461D 4FB8C6B3
  F0D254C7 AC73DE62 7F833354 33C13F11 BE3C3913 384352D6 D6B66C3F D42A43FA
  6126E69F 9416F913 1014513B 38E6BAC7 13906C23 BE4F3AB1 6FA4B648 D87B5386
  24E7331D A0C4E88B A9840B90 F7B886AF 1A84B4
  quit
!
!
username user privilege 15 secret 5 12345678909
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnusers
 key keypass123
 dns 192.168.100.200
 domain something.local
 pool vpnpool
 acl vpn-splitacl
!
!
crypto ipsec transform-set vpn-transset esp-3des esp-md5-hmac
!
crypto dynamic-map vpn-map 1
 set transform-set vpn-transset
!
!
crypto map ipsec-maps client authentication list userauthen
crypto map ipsec-maps isakmp authorization list groupauthor
crypto map ipsec-maps client configuration address respond
crypto map ipsec-maps 1 ipsec-isakmp dynamic vpn-map
!
!
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.100.100 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname call@isp.com
 ppp chap password 0 123465
 crypto map ipsec-maps
!
ip local pool vpnpool 172.16.12.50 172.16.12.100
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.100.200 443 interface Dialer0 443
ip nat inside source static tcp 192.168.100.200 80 interface Dialer0 80
ip nat inside source static tcp 192.168.100.200 25 interface Dialer0 25
ip nat inside source static tcp 192.168.100.200 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.100.200 1433 interface Dialer0 1433
ip nat inside source static tcp 192.168.100.200 21 interface Dialer0 21
!
ip access-list extended NAT
 permit ip any any
ip access-list extended vpn-splitacl
 permit ip 172.16.12.0 0.0.0.255 192.168.100.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.100.0 0.0.0.255
access-list 23 permit 192.168.101.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
0
Comment
Question by:Dovinshka
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 24137451
Make these changes:

conf t
ip access-list extended vpn-splitacl
permit ip 192.168.100.0 0.0.0.255 172.16.12.0 0.0.0.255
no permit ip 172.16.12.0 0.0.0.255 192.168.100.0 0.0.0.255

ip access-list extended NAT
deny 192.168.100.0 0.0.0.255 172.16.12.0 0.0.0.255
no permit ip any any
permit ip any any
0
 
LVL 4

Author Comment

by:Dovinshka
ID: 24137825
Thanks for that, it works. Looking closer, I did actually have the acl set the other way, somehow I must have reversed it with testing.

Thanks!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now