asked on
Unable to browse LAN from Cisco VPN Client - 891
Hello experts, I looked at several similar posts, and some suggest not to NAT the VPN traffic, but was unsure how to apply it to my scenario given very different variables.
Currently, my remote user can connect over VPN successfully, but is not able to ping anything on the LAN. Config attached.
I would love some assistance in understanding what's wrong here and how to correct the issue so remote VPN users can browse the network.
Thanks in advance.
Luis
Currently, my remote user can connect over VPN successfully, but is not able to ping anything on the LAN. Config attached.
I would love some assistance in understanding what's wrong here and how to correct the issue so remote VPN users can browse the network.
Thanks in advance.
Luis
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mre
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1507793008
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1507793008
revocation-check none
rsakeypair TP-self-signed-1507793008
!
!
crypto pki certificate chain TP-self-signed-1507793008
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353037 37393330 3038301E 170D3130 30393037 31373239
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303737
39333030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C150 094B319F 018EF68A F1173F1E 24011944 344D4F7D 6BC59164 73E9112D
36B74720 02E0F877 055BCB73 68F2D0EE CF5EC1D5 0776AEFC 8321AA11 59B32304
E2C4A11F 91838DB6 560B8798 8C653ECC AE77F524 EAF24827 1422CA93 B2184BA9
14AAD152 8F67B3B7 16397E99 7FA18030 D9513E50 858BC1FE 7963B0A6 633EEF0B
69230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14327128 E8CF28DF 31A27E83 14AB66C0 CFFD23E6
95301D06 03551D0E 04160414 327128E8 CF28DF31 A27E8314 AB66C0CF FD23E695
300D0609 2A864886 F70D0101 04050003 81810070 106BB7D0 FE00A0F7 3D6593DA
915CD68A 929C7DF1 8054E09F CC287640 B323006B AAAA9710 B242A194 415E5936
C73AF7EB BEF864D8 F2C7C1B1 8A8C53DD D6DBD86B EAC17508 4E42F07A F97612FB
7C761557 4036FE31 2B54940D 54534D8C FCF66911 AE21EA1A D2B41750 B0E0113C
DC933F23 801D6CF5 F5B8A560 AC4DC6C9 EEBB5F
quit
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.123.186
ip dhcp excluded-address 192.168.123.1 192.168.123.127
ip dhcp excluded-address 192.168.123.192 192.168.123.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.123.0 255.255.255.0
dns-server 192.168.123.250
default-router 192.168.123.1
domain-name example.com
lease 0 2
!
!
ip cef
no ip bootp server
ip domain name example.com
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FHK***
!
!
username admin privilege 15 secret 5 ***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group MRE-ADMIN
key ***
dns 192.168.123.250
domain example.com
pool SDM_POOL_1
acl 101
max-users 6
netmask 255.255.255.0
!
crypto isakmp client configuration group MRE-STAFF
key ***
dns 192.168.123.250
domain example.com
pool SDM_POOL_2
acl 102
max-users 30
netmask 255.255.255.224
crypto isakmp profile ciscocp-ike-profile-1
match identity group MRE-ADMIN
match identity group MRE-STAFF
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
spanning-tree portfast
!
!
interface FastEthernet1
spanning-tree portfast
!
!
interface FastEthernet2
spanning-tree portfast
!
!
interface FastEthernet3
!
!
interface FastEthernet4
spanning-tree portfast
!
!
interface FastEthernet5
spanning-tree portfast
!
!
interface FastEthernet6
spanning-tree portfast
!
!
interface FastEthernet7
spanning-tree portfast
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
description ***Upstream to Internet***$ETH-WAN$$FW_OUTSIDE$
ip address 111.111.111.111 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex full
speed 10
no cdp enable
!
!
interface Vlan1
description *** Local Network ***$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 192.168.123.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip local pool SDM_POOL_2 192.168.128.129 192.168.128.158
ip local pool SDM_POOL_1 192.168.129.129 192.168.129.134
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NONAT interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.110
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.129.128 0.0.0.7
access-list 3 permit 192.168.129.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.123.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.128.128 0.0.0.31 any
access-list 150 permit ip 192.168.129.128 0.0.0.7 any
!
!
!
!
route-map NONAT permit 10
description *** NAT Address Translation Rule List ***
match ip address 150
!
!
!
control-plane
!
line con 0
logging synchronous
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
access-class 3 in
logging synchronous
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 17.151.16.20 prefer source GigabitEthernet0
ntp server 17.151.16.21 source GigabitEthernet0
ntp server 17.151.16.22 source GigabitEthernet0
ntp server 17.151.16.23 source GigabitEthernet0
end
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mre
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1507793008
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1507793008
revocation-check none
rsakeypair TP-self-signed-1507793008
!
!
crypto pki certificate chain TP-self-signed-1507793008
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353037 37393330 3038301E 170D3130 30393037 31373239
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303737
39333030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C150 094B319F 018EF68A F1173F1E 24011944 344D4F7D 6BC59164 73E9112D
36B74720 02E0F877 055BCB73 68F2D0EE CF5EC1D5 0776AEFC 8321AA11 59B32304
E2C4A11F 91838DB6 560B8798 8C653ECC AE77F524 EAF24827 1422CA93 B2184BA9
14AAD152 8F67B3B7 16397E99 7FA18030 D9513E50 858BC1FE 7963B0A6 633EEF0B
69230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14327128 E8CF28DF 31A27E83 14AB66C0 CFFD23E6
95301D06 03551D0E 04160414 327128E8 CF28DF31 A27E8314 AB66C0CF FD23E695
300D0609 2A864886 F70D0101 04050003 81810070 106BB7D0 FE00A0F7 3D6593DA
915CD68A 929C7DF1 8054E09F CC287640 B323006B AAAA9710 B242A194 415E5936
C73AF7EB BEF864D8 F2C7C1B1 8A8C53DD D6DBD86B EAC17508 4E42F07A F97612FB
7C761557 4036FE31 2B54940D 54534D8C FCF66911 AE21EA1A D2B41750 B0E0113C
DC933F23 801D6CF5 F5B8A560 AC4DC6C9 EEBB5F
quit
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.123.186
ip dhcp excluded-address 192.168.123.1 192.168.123.127
ip dhcp excluded-address 192.168.123.192 192.168.123.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.123.0 255.255.255.0
dns-server 192.168.123.250
default-router 192.168.123.1
domain-name example.com
lease 0 2
!
!
ip cef
no ip bootp server
ip domain name example.com
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FHK***
!
!
username admin privilege 15 secret 5 ***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group MRE-ADMIN
key ***
dns 192.168.123.250
domain example.com
pool SDM_POOL_1
acl 101
max-users 6
netmask 255.255.255.0
!
crypto isakmp client configuration group MRE-STAFF
key ***
dns 192.168.123.250
domain example.com
pool SDM_POOL_2
acl 102
max-users 30
netmask 255.255.255.224
crypto isakmp profile ciscocp-ike-profile-1
match identity group MRE-ADMIN
match identity group MRE-STAFF
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
spanning-tree portfast
!
!
interface FastEthernet1
spanning-tree portfast
!
!
interface FastEthernet2
spanning-tree portfast
!
!
interface FastEthernet3
!
!
interface FastEthernet4
spanning-tree portfast
!
!
interface FastEthernet5
spanning-tree portfast
!
!
interface FastEthernet6
spanning-tree portfast
!
!
interface FastEthernet7
spanning-tree portfast
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
description ***Upstream to Internet***$ETH-WAN$$FW_OUTSIDE$
ip address 111.111.111.111 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex full
speed 10
no cdp enable
!
!
interface Vlan1
description *** Local Network ***$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 192.168.123.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip local pool SDM_POOL_2 192.168.128.129 192.168.128.158
ip local pool SDM_POOL_1 192.168.129.129 192.168.129.134
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NONAT interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.110
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.129.128 0.0.0.7
access-list 3 permit 192.168.129.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.123.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.128.128 0.0.0.31 any
access-list 150 permit ip 192.168.129.128 0.0.0.7 any
!
!
!
!
route-map NONAT permit 10
description *** NAT Address Translation Rule List ***
match ip address 150
!
!
!
control-plane
!
line con 0
logging synchronous
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
access-class 3 in
logging synchronous
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 17.151.16.20 prefer source GigabitEthernet0
ntp server 17.151.16.21 source GigabitEthernet0
ntp server 17.151.16.22 source GigabitEthernet0
ntp server 17.151.16.23 source GigabitEthernet0
end
VPNInternet Protocol SecurityRouters
Last Comment
Istvan Kalmar