dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1011
mvalpreda
join:2006-07-20
Laguna Niguel, CA

mvalpreda

Member

[HELP] ISR 891 - Unable to connect to inside hosts via VPN

I am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. Sure I am missing something simple. Thanks!

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXX
enable password 7 XXX
!
aaa new-model
!
aaa authentication login vpnuserauth group radius local
aaa authorization network XXXVPN local
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3003131779
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3003131779
revocation-check none
rsakeypair TP-self-signed-3003131779
!
crypto pki certificate chain TP-self-signed-3003131779
certificate self-signed 01
quit
no ip source-route
!
ip domain name xxxx.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn XXXX
!
username XXX privilege 15 secret 5 XXXX
!
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXVPN
key XXXVPNKEY
dns 192.168.77.25 8.8.8.8
domain xxxx.local
pool VPNPOOL
acl SPLIT-TUNNEL
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set 3DES-SHA
reverse-route
!
crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
crypto map CRYPTO-OUTSIDE isakmp authorization list XXXVPN
crypto map CRYPTO-OUTSIDE client configuration address respond
crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTO-OUTSIDE
!
interface Vlan1
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPNPOOL 192.168.100.100 192.168.100.150
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 XXXX 254
!
ip access-list extended NAT
permit ip 192.168.77.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
!
ip radius source-interface Vlan1
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community mdv RO
radius-server host 192.168.77.27 key 7 XXXX
!
control-plane
!
mgcp profile default
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password 7 XXXX
transport input telnet ssh
!
scheduler max-task-time 5000
end

OVERKILL
join:2010-04-05
Peterborough, ON

OVERKILL

Member

Where is your route map?
ladino
join:2001-02-24
USA

ladino

Member

Try changing your NAT statement for ACL 1 to an extended ACL e.g ACL 101 as below & deny NAT from LAN to VPN hosts

access-list 101 deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.77.0 0.0.0.255 any
 
mvalpreda
join:2006-07-20
Laguna Niguel, CA

mvalpreda

Member

I'm not sure what you are saying I should change or get rid of.

I did
no access-list 1 permit 192.168.77.0 0.0.0.255
access-list 101 deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.77.0 0.0.0.255 any

And still got a reply from the public IP when I ping an inside host.
ladino
join:2001-02-24
USA

ladino to mvalpreda

Member

to mvalpreda
In addition the ACL change, you also need to replace your NAT statement using the below commands & try it again
cle ip nat trans *
no ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list 101 interface GigabitEthernet0 overload