Cisco 857 - No traffic between LAN and VPN clients

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-06-21
Hi there,

Having some issues, as the title suggests, with a Cisco 857 router. I have setup the VPn connection as specified in the config below, but connected clients cannot ping/reach the router or computers on the LAN.

Fairly new to Cisco so being descriptive will help a lot.

The config is as follows:

Building configuration...

Current configuration : 6582 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname lon32.melbourne
logging buffered 51200 warnings
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip dhcp excluded-address
ip cef
no ip domain lookup
ip domain name yourdomain.com
crypto pki trustpoint TP-self-signed-1723353567
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1723353567
 revocation-check none
 rsakeypair TP-self-signed-1723353567
crypto pki certificate chain TP-self-signed-1723353567
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31373233 33353335 3637301E 170D3032 30333037 30323539
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37323333
  35333536 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008E30 9F16FC3F A91DE90D 7AE50743 9FD13CEC 8AFCD9F5 2B479F52 883C7B96
  70F51DF4 55E80891 387BC91D 33AF53E3 B71A4183 B268F329 FCF6DC94 CD10DD29
  CCF49AE2 CCAE30AD 980DB58B 89111EC5 D6C50983 656BEB93 B9761D29 058728D2
  CDE3450D 143C4D3C 65BBDE99 CB61F23F DDF11AD1 F4B8C655 0E375959 F41D66E4
  14130203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 141FFC16 FDCEABA5 19770891 DD9E7918 803FFE0F
  F3301D06 03551D0E 04160414 1FFC16FD CEABA519 770891DD 9E791880 3FFE0FF3
  300D0609 2A864886 F70D0101 04050003 8181005E 07257B1E ADD3593D 6D7D3EF5
  25002E8C 4919BB3D 2A224361 F4F11290 956E11A8 242AD485 E55E461D 4FB8C6B3
  F0D254C7 AC73DE62 7F833354 33C13F11 BE3C3913 384352D6 D6B66C3F D42A43FA
  6126E69F 9416F913 1014513B 38E6BAC7 13906C23 BE4F3AB1 6FA4B648 D87B5386
  24E7331D A0C4E88B A9840B90 F7B886AF 1A84B4
username user privilege 15 secret 5 12345678909
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group vpnusers
 key keypass123
 domain something.local
 pool vpnpool
 acl vpn-splitacl
crypto ipsec transform-set vpn-transset esp-3des esp-md5-hmac
crypto dynamic-map vpn-map 1
 set transform-set vpn-transset
crypto map ipsec-maps client authentication list userauthen
crypto map ipsec-maps isakmp authorization list groupauthor
crypto map ipsec-maps client configuration address respond
crypto map ipsec-maps 1 ipsec-isakmp dynamic vpn-map
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname call@isp.com
 ppp chap password 0 123465
 crypto map ipsec-maps
ip local pool vpnpool
ip route Dialer0
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 443 interface Dialer0 443
ip nat inside source static tcp 80 interface Dialer0 80
ip nat inside source static tcp 25 interface Dialer0 25
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp 1433 interface Dialer0 1433
ip nat inside source static tcp 21 interface Dialer0 21
ip access-list extended NAT
 permit ip any any
ip access-list extended vpn-splitacl
 permit ip
access-list 23 permit
access-list 23 permit
access-list 23 permit
dialer-list 1 protocol ip permit
no cdp run
Question by:Dovinshka
LVL 43

Accepted Solution

JFrederick29 earned 500 total points
ID: 24137451
Make these changes:

conf t
ip access-list extended vpn-splitacl
permit ip
no permit ip

ip access-list extended NAT
no permit ip any any
permit ip any any

Author Comment

ID: 24137825
Thanks for that, it works. Looking closer, I did actually have the acl set the other way, somehow I must have reversed it with testing.


Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question