We help IT Professionals succeed at work.

Cisco VPN Client + Cisco 851 Router

I've just finished configuring VPN on my Cisco 851 Router. I'm able to connect from a remote using the Cisco VPN Client to my router and also getting an IP from my vpn ip pool (192.168.25.x/24). After connecting I'm unable to ping or connect to any resources and computers on my local lan (192.168.168.x/24)

Can anyone tell me what am I doing wrong base on my configuration file below.


Thanks,

Marc

Current configuration : 4414 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pds/$$1$v5OP$mPuiEQn8UL
!
aaa new-model
!
!
aaa authentication login remoteusers local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3646643101
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3646643101
 revocation-check none
 rsakeypair TP-self-signed-3646643101
!
!
crypto pki certificate chain TP-self-signed-3646643101
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363436 36343331 3031301E 170D3130 30363133 31323030
  74656D73 2E636F6D 301F0603 551D2304 18301680 1419FA09 D7992944 985DA2E1
  FD664785 928D70D2 47301D06 03551D0E 04160414 19FA09D7 99294498 5DA2E1FD
  66478592 8D70D247 300D0609 2A864886 F70D0101 04050003 8181000A 7B96D819
  1A555E5A CE0D7F6D F0A40AA6 D74BAEDB B6B88F1A 40DD2117 29596326 D14CCBB9
  3922D80E 3C17F954 1F8FF9EE 15BB78F0 CCA06C89 3C7EA8A3 DA503A49 88EE0B7A
  4A04265A B51AC42D 81752A9E 725D5031 931D3B2A 1A93AA5E 9D5C19E4 49748E83
  DE89B41C 19CB5ABD 2805D96F D3B5A1DA D3F911AC 9BABCF17 CF770A  
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343636
  34333130 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EEE1 A5FC25D5 9F804999 33C336B1 7E75512E 327070E0 F8F164A2 0D883A9B
  611929A2 10A36D5D 334B4BDD 47ABD60B B8AF20CC 436CB91D A6CC997D 1383E645
  5EC75C88 F25BE0A3 E465E8D2 AB20583B B2D60DAC 39A413E3 FBACAA3A ECE8EE61
  34C8140C 60852655 CC7C5FEC 78304FDC F875E8D9 3E0CE9C8 C061F745 B8553C91
  DE030203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
  551D1104 23302182 1F697379 73383531 2E697379 732E6765 6D696E69 2D737973

        quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.168.0 192.168.168.20
!
ip dhcp pool my-pool
   import all
   network 192.168.168.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.168.1
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name my.domain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
vtp mode transparent
username radmin privilege 15 secret 5 $$$$$$$$$$$$jkjaksjfas
username ruser1 password 0 password1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
 key myvpnkey
 domain my.domain.com
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 64.81.111.18 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map dynmap
!
interface Vlan1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.81.111.17
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Comment
Watch Question

Head of IT Security Division
Top Expert 2010
Commented:
Hi,

You missen nonat:

access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip any any

Best regards,
Istvan

Author

Commented:
I added "ikalmar" suggestion and I'm still having the same issue.  Take a look at the new config file below.

Current configuration : 4414 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pds/$$1$v5OP$mPuiEQn8UL
!
aaa new-model
!
!
aaa authentication login remoteusers local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3646643101
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3646643101
 revocation-check none
 rsakeypair TP-self-signed-3646643101
!
!
crypto pki certificate chain TP-self-signed-3646643101
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363436 36343331 3031301E 170D3130 30363133 31323030
  74656D73 2E636F6D 301F0603 551D2304 18301680 1419FA09 D7992944 985DA2E1
  FD664785 928D70D2 47301D06 03551D0E 04160414 19FA09D7 99294498 5DA2E1FD
  66478592 8D70D247 300D0609 2A864886 F70D0101 04050003 8181000A 7B96D819
  1A555E5A CE0D7F6D F0A40AA6 D74BAEDB B6B88F1A 40DD2117 29596326 D14CCBB9
  3922D80E 3C17F954 1F8FF9EE 15BB78F0 CCA06C89 3C7EA8A3 DA503A49 88EE0B7A
  4A04265A B51AC42D 81752A9E 725D5031 931D3B2A 1A93AA5E 9D5C19E4 49748E83
  DE89B41C 19CB5ABD 2805D96F D3B5A1DA D3F911AC 9BABCF17 CF770A  
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343636
  34333130 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EEE1 A5FC25D5 9F804999 33C336B1 7E75512E 327070E0 F8F164A2 0D883A9B
  611929A2 10A36D5D 334B4BDD 47ABD60B B8AF20CC 436CB91D A6CC997D 1383E645
  5EC75C88 F25BE0A3 E465E8D2 AB20583B B2D60DAC 39A413E3 FBACAA3A ECE8EE61
  34C8140C 60852655 CC7C5FEC 78304FDC F875E8D9 3E0CE9C8 C061F745 B8553C91
  DE030203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
  551D1104 23302182 1F697379 73383531 2E697379 732E6765 6D696E69 2D737973

        quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.168.0 192.168.168.20
!
ip dhcp pool my-pool
   import all
   network 192.168.168.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.168.1
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name my.domain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
vtp mode transparent
username radmin privilege 15 secret 5 $$$$$$$$$$$$jkjaksjfas
username ruser1 password 0 password1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
 key myvpnkey
 domain my.domain.com
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 64.81.111.18 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map dynmap
!
interface Vlan1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.81.111.17
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 110 deny   ip 192.168.168.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip any any
no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
ok try it:

no ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source list 110 interface FastEthernet4 overload
CTRL+z

write

reload

Author

Commented:
Sorry for not replying to this sooner. After typing the command below (no ip nat inside source route-map nonat interface FastEthernet4 overload), I received an error message. I wasn't sure if I did something wrong so I reload the router without saving the config. After rebooting the router, I was able to ping and connect to my server(s) using the Cisco VPN client. The only issue I'm having right now is that I'm unable to browse the internet while connecting to the Cisco VPN client. I would like to be able to use my local ISP's connection for web traffic instead of all my traffic being routed through the VPN tunnel.


myrouter(config)#no ip nat inside source route-map nonat interface FastEthernet4 overload
Dynamic mapping in use, do you want to delete all entries? [no]:
%Error: Dynamic mapping in use, cannot remove

------------------------------------------------------------------

Current Router Config:

  Current configuration : 4520 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pds/$$1$v5OP$mPuiEQn8UL
!
aaa new-model
!
!
aaa authentication login remoteusers local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3646643101
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3646643101
 revocation-check none
 rsakeypair TP-self-signed-3646643101
!
!
crypto pki certificate chain TP-self-signed-3646643101
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363436 36343331 3031301E 170D3130 30363133 31323030
  74656D73 2E636F6D 301F0603 551D2304 18301680 1419FA09 D7992944 985DA2E1
  FD664785 928D70D2 47301D06 03551D0E 04160414 19FA09D7 99294498 5DA2E1FD
  66478592 8D70D247 300D0609 2A864886 F70D0101 04050003 8181000A 7B96D819
  1A555E5A CE0D7F6D F0A40AA6 D74BAEDB B6B88F1A 40DD2117 29596326 D14CCBB9
  3922D80E 3C17F954 1F8FF9EE 15BB78F0 CCA06C89 3C7EA8A3 DA503A49 88EE0B7A
  4A04265A B51AC42D 81752A9E 725D5031 931D3B2A 1A93AA5E 9D5C19E4 49748E83
  DE89B41C 19CB5ABD 2805D96F D3B5A1DA D3F911AC 9BABCF17 CF770A  
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343636
  34333130 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EEE1 A5FC25D5 9F804999 33C336B1 7E75512E 327070E0 F8F164A2 0D883A9B
  611929A2 10A36D5D 334B4BDD 47ABD60B B8AF20CC 436CB91D A6CC997D 1383E645
  5EC75C88 F25BE0A3 E465E8D2 AB20583B B2D60DAC 39A413E3 FBACAA3A ECE8EE61
  34C8140C 60852655 CC7C5FEC 78304FDC F875E8D9 3E0CE9C8 C061F745 B8553C91
  DE030203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
  551D1104 23302182 1F697379 73383531 2E697379 732E6765 6D696E69 2D737973
        quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.168.0 192.168.168.20
!
ip dhcp pool isys-pool
   import all
   network 192.168.168.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.168.1
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name my.domain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
vtp mode transparent
username radmin privilege 15 secret 5 $$$$$$$$$$$$jkjaksjfas
username ruser1 password 0 password1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
 key myvpnkey
 domain my.domain.com
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 64.81.111.18 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map dynmap
!
interface Vlan1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.209.111.17
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 110 deny   ip 192.168.168.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip any any
no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end