Cisco 1841 - VPNPool - Change network addresses

Hi Experts,

I have a Cisco 1841 router supplying the VPN connection for my organization. Currently, the VPNPool is assigned addresses 192.168.2.50 thru 192.168.2.100. However, we are running out of addresses and I can not expand it any more within the 192.168.2.0/24 network. I did try changing the VPNPool to 192.168.20.100 thru 192.168.20.150, however when I did the end users (PPTP connections) where able to connect to the VPN and get the proper address and dns server  but they where unable to access any of the local resources on the 192.168.2.0/24 network. I believe it was due to the access-list but ACL's are not my stong point. Does something need to be added to allow traffic from the 192.168.20.0/24 network?

Here is the config for VPN:

interface Virtual-Template1
 ip unnumbered Serial0/1/0.531
 peer default ip address pool VPNpool
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
!



ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!


access-list 125 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255

Thanks!
LVL 1
RLComputingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mpinaiatiswCommented:
Hello- I believe we need more information to troubleshoot your problem. Can you send us more of the config? Are you running NAT on this router? If so, it's possible that your device is NATing traffic bound to the 192.168.20.x network from the 192.168.2.x network. It'd be helpful to get more of your config, particulary the interfaces, NAT config, and crypto config, since the ACLs aren't labeled.
John MeggersNetwork ArchitectCommented:
Can't see where your ACLs are applied, so that's part of the equation, but in general if you want to allow 192.168.20.x users to get to resources on 192.168.2.0/24, you would configure:

access-list yyy permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

Where you apply this depends on your topology.  I don't see anything in the ACLs you listed that would block traffic destined for 192.168.2.0; your ACLs permit traffic if 192.168.2.0 is the source, not the destination.  The syntax for ACLs is:

access-list zzz permit ip <source> <wildcard mask> <destination> <wildcard mask>

Be careful that your new subnet (192.168.20.0) gets injected into the routing somewhere, otherwise hosts that need to send traffic back to 192.168.20.0 won't know where to send it.  This can be done through static routes, reverse route injection, etc.
RLComputingAuthor Commented:
Sorry about that. The full config is below. Here are the main devices

Cisco 1841 - 192.168.2.1 (VPN and RADIUS)
Windows Server 2003 with IAS - 192.168.2.28
DNS - 192.168.2.28


version 12.4
<!------->
aaa group server radius primary
 server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
 match access-group 100
class-map match-any VOIP-MAnagement
 match access-group 102
class-map match-any VOIP-Control
 match access-group 101
!
!
policy-map WAN-QOS
 class VOIP-Stream
  priority percent 75
  set dscp ef
 class VOIP-Control
  priority percent 15
  set dscp af41
 class VOIP-MAnagement
  priority percent 9
  set dscp af21
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans171
 match address 171
crypto map mymap 2 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 173
crypto map mymap 4 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans174
 match address 174
crypto map mymap 5 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 175
crypto map mymap 6 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 176
crypto map mymap 7 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 177
!
!
!
interface Loopback0
 ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
 ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
 description Tunnel to Remote Site #1
 bandwidth 400
 ip address 10.xxx.xxx.xxx 255.255.255.252
 ip mtu 1390
 ip route-cache flow
 tunnel source Serial0/1/0.531
 tunnel destination 208.xxx.xxx.xxx
 tunnel key XXXXXXX
!


interface FastEthernet0/0
 description <<Choice One Internet>>
 ip address 10.XXX.XXX.XXX 255.255.255.0
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description << LAN >>
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Serial0/1/0
 description Connection to GBLX Cloud
 no ip address
 ip virtual-reassembly
 encapsulation frame-relay IETF
 no ip route-cache cef
 no ip route-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
 description Connection to GBLX MPLS
 ip address 67.XXX.XXX.XXXX 255.255.255.252
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 16
  class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
 description Connection to DIA
 ip address 146.XXX.XXX.XXX 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 552
  class Data-CLASS
 crypto map mymap
!
interface Virtual-Template1
 ip unnumbered Serial0/1/0.531
 peer default ip address pool VPNpool
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
!
router eigrp 500
 network 10.XXX.XXX.XX 0.0.0.255
 network 192.168.2.0
 no auto-summary
 eigrp stub connected summary
!
router bgp 60040
 no synchronization
 bgp log-neighbor-changes
 network 10.XXX.XXX.XXX
 network 192.168.0.0
 aggregate-address 10.XXX.XXX.XXX 255.255.255.255
 aggregate-address 10.XXX.XXX.XXX 255.255.255.0
 aggregate-address 192.168.2.0 255.255.255.0
 redistribute connected
 neighbor 67.xxx.xxx.xxx remote-as 6745
 neighbor 67.xxx.xxx.xxx description OSN->GlobalX
 neighbor 67.xxx.xxx.xxx version 4
 neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
 no auto-summary
!
ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
 frame-relay cir 1024000
 frame-relay bc 10240
 frame-relay be 0
 frame-relay mincir 1024000
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority high
 service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
 frame-relay cir 512000
 frame-relay bc 5120
 frame-relay be 5120
 frame-relay mincir 512000
 frame-relay fair-queue
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
 match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 login authentication SASi
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end version 12.4
<!------->
aaa group server radius primary
 server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
 match access-group 100
class-map match-any VOIP-MAnagement
 match access-group 102
class-map match-any VOIP-Control
 match access-group 101
!
!
policy-map WAN-QOS
 class VOIP-Stream
  priority percent 75
  set dscp ef
 class VOIP-Control
  priority percent 15
  set dscp af41
 class VOIP-MAnagement
  priority percent 9
  set dscp af21
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans171
 match address 171
crypto map mymap 2 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 173
crypto map mymap 4 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans174
 match address 174
crypto map mymap 5 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 175
crypto map mymap 6 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 176
crypto map mymap 7 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 177
!
!
!
interface Loopback0
 ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
 ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
 description Tunnel to Remote Site #1
 bandwidth 400
 ip address 10.xxx.xxx.xxx 255.255.255.252
 ip mtu 1390
 ip route-cache flow
 tunnel source Serial0/1/0.531
 tunnel destination 208.xxx.xxx.xxx
 tunnel key XXXXXXX
!


interface FastEthernet0/0
 description <<Choice One Internet>>
 ip address 10.XXX.XXX.XXX 255.255.255.0
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description << LAN >>
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Serial0/1/0
 description Connection to GBLX Cloud
 no ip address
 ip virtual-reassembly
 encapsulation frame-relay IETF
 no ip route-cache cef
 no ip route-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
 description Connection to GBLX MPLS
 ip address 67.XXX.XXX.XXXX 255.255.255.252
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 16
  class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
 description Connection to DIA
 ip address 146.XXX.XXX.XXX 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 552
  class Data-CLASS
 crypto map mymap
!
interface Virtual-Template1
 ip unnumbered Serial0/1/0.531
 peer default ip address pool testpool
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
!
router eigrp 500
 network 10.XXX.XXX.XX 0.0.0.255
 network 192.168.2.0
 no auto-summary
 eigrp stub connected summary
!
router bgp 60040
 no synchronization
 bgp log-neighbor-changes
 network 10.XXX.XXX.XXX
 network 192.168.0.0
 aggregate-address 10.XXX.XXX.XXX 255.255.255.255
 aggregate-address 10.XXX.XXX.XXX 255.255.255.0
 aggregate-address 192.168.2.0 255.255.255.0
 redistribute connected
 neighbor 67.xxx.xxx.xxx remote-as 6745
 neighbor 67.xxx.xxx.xxx description OSN->GlobalX
 neighbor 67.xxx.xxx.xxx version 4
 neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
 no auto-summary
!
ip local pool testpool 192.168.2.75 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
 frame-relay cir 1024000
 frame-relay bc 10240
 frame-relay be 0
 frame-relay mincir 1024000
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority high
 service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
 frame-relay cir 512000
 frame-relay bc 5120
 frame-relay be 5120
 frame-relay mincir 512000
 frame-relay fair-queue
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
 match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 login authentication SASi
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

RLComputingAuthor Commented:
Forgot to mention, when I did change the VPNPool to 192.168.20.0 network, I added the following to the config:

ip route 192.168.20.0 255.255.255.0 146.xxx.xxx.xxx
John MeggersNetwork ArchitectCommented:
Does the 192.168.20.0 pool exist over on the other device, reachable by 146.xxx.xxx.xxx?
RLComputingAuthor Commented:
What would you be referring by the other device? The 146.xxx.xxx.xxx is our ISP default gateway.
mpinaiatiswCommented:
The issue is with NAT it looks like. Your ACL should look like this (order DOES matter)

access-list 125 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mpinaiatiswCommented:
I should also mention that if you're not familiar with access-lists... and depending on what version of IOS you're on, you can do this:

conf t
ip access-list extended 125
5 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
!
end
!

Also... please remember you need to clear your nat translations since there may be nat translations still existence from traffic attempting to hit the 192.168.20.x network. If you're ok with clear all nat translations (which will also clear your nat translations to other destinations on the internet, which may reset tcp sessions, etc, ) from the enable prompt you can run :

clear ip nat translation *

RLComputingAuthor Commented:
thank you. I will have to make this changes this evening and see how it goes. In the meantime, I'm going to read up on ACL's :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.