[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

can not access lan side through cisco vpn, can access router.

Posted on 2009-04-20
2
Medium Priority
?
350 Views
Last Modified: 2012-05-06
Please take a look at my running config, I cant access the lan side computers through my vpn.
This is the running config of the router: 10.6.2.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ccc_router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$X7pK$OoeHdvOcivn1LrlVxt7N1.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
no ip bootp server
ip domain name mobileccc.org
ip name-server 69.85.209.10
ip name-server 69.85.209.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-536923487
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-536923487
 revocation-check none
 rsakeypair TP-self-signed-536923487
!
!
crypto pki certificate chain TP-self-signed-536923487
 certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35333639 32333438 37301E17 0D303930 34323032 30313630
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 36393233
  34383730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  AC72DE39 D7DD2A43 4330092E 11F3E410 3712A208 F640DED4 E68617D4 4F63A51E
  CB83B81D 328AD22D 1838E8B8 D6622283 476F07CD 7AF6EE2C 4935E17C 284ACC89
  2BC351BB CF110158 AA9D3097 C88BBD47 C3BFBECB 6EA1ADC4 7696D5D6 EDFEDA6F
  2DF04420 78A85759 1927AEF6 B147F3B7 66C32D28 B956E776 E90DEDA9 AEB955FD
  02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D
  11041C30 1A821863 63635F72 6F757465 722E6D6F 62696C65 6363632E 6F726730
  1F060355 1D230418 30168014 25AED355 DEB039B3 71D1F5FC 0626F27C 1A287FBF
  301D0603 551D0E04 16041425 AED355DE B039B371 D1F5FC06 26F27C1A 287FBF30
  0D06092A 864886F7 0D010104 05000381 81009DB4 727D036B 145DD0B7 E5FCADC1
  F4FA05DE 19B2F2F1 DCFB5F1A EC725EBE 5120B105 950DF741 412E9DCE DF6D3112
  187FCAEB 688708CF B618C741 6F9488DF B312444A 6BC29800 198A27A6 946B76CF
  B2ECDB70 8889F8DA 2278A676 CF78C7FF 2D54D020 DE95D2C8 85D8C971 0E30B381
  C1EC0EB6 6FD2D7D7 9A62DB42 613700BA 10C1
  quit
username jerryguy privilege 15 secret 5 $1$rU02$aXWH4TEH2Q9UsP6e9sPem0
username cccuser privilege 15 secret 5 $1$P4Pk$BHlzVPBgTAx94j3y2VY741
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group ccc_users
 key ccccanal
 dns 10.6.2.200 69.85.209.10
 pool SDM_POOL_1
 acl ccc_access
 max-users 10
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 1800
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 10.6.2.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$
 ip address 69.85.192.66 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 10
 no mop enabled
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.6.2.245 10.6.2.255
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
!
ip access-list extended ccc_access
 remark access to lan
 remark SDM_ACL Category=4
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.6.2.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 69.85.192.64 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 10.6.2.245 any
access-list 101 permit ip host 10.6.2.246 any
access-list 101 permit ip host 10.6.2.247 any
access-list 101 permit ip host 10.6.2.248 any
access-list 101 permit ip host 10.6.2.249 any
access-list 101 permit ip host 10.6.2.250 any
access-list 101 permit ip host 10.6.2.251 any
access-list 101 permit ip host 10.6.2.252 any
access-list 101 permit ip host 10.6.2.253 any
access-list 101 permit ip host 10.6.2.254 any
access-list 101 permit ip host 10.6.2.255 any
access-list 101 permit udp any host 69.85.192.66 eq non500-isakmp
access-list 101 permit udp any host 69.85.192.66 eq isakmp
access-list 101 permit esp any host 69.85.192.66
access-list 101 permit ahp any host 69.85.192.66
access-list 101 permit udp host 69.85.209.12 eq domain host 69.85.192.66
access-list 101 permit udp host 69.85.209.10 eq domain host 69.85.192.66
access-list 101 deny   ip 10.6.2.0 0.0.0.255 any
access-list 101 permit icmp any host 69.85.192.66 echo-reply
access-list 101 permit icmp any host 69.85.192.66 time-exceeded
access-list 101 permit icmp any host 69.85.192.66 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip any host 10.6.2.245
access-list 102 deny   ip any host 10.6.2.246
access-list 102 deny   ip any host 10.6.2.247
access-list 102 deny   ip any host 10.6.2.248
access-list 102 deny   ip any host 10.6.2.249
access-list 102 deny   ip any host 10.6.2.250
access-list 102 deny   ip any host 10.6.2.251
access-list 102 deny   ip any host 10.6.2.252
access-list 102 deny   ip any host 10.6.2.253
access-list 102 deny   ip any host 10.6.2.254
access-list 102 deny   ip any host 10.6.2.255
access-list 102 permit ip 10.6.2.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
control-plane
!
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


0
Comment
Question by:baytechnical
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1000 total points
ID: 24194636
Add this:

interface GigabitEthernet0/1
ip proxy-arp
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 24200940
JFrederick29 hit the nail on the head.
We generally use a different IP subnet for the VPN pool, but there is no rule that you have to. However, if you do use a subset of the local area subnet, then you have to enable proxy arp on the LAN interface.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question