dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1799
share rss forum feed

yadhutony

join:2012-07-09

[HELP] CAN'T ACCESS LAN WITH EASY VPN CONFIGURATION

Hi,
I have configured an easy vpn server in cisco 1905 ISR using ccp.
The router was already configured with zone based firewall.
With the help of vpn client i can reach only upto the internal interface of the router but can't access the LAN of my company.
Do i need to change any configuration in ZBF since it is configured as 'deny any' from outside to inside ?
If then what all protocols do i need to match ? Also is there any NAT exemption for the VPN clients ? Please help me out !! Thanks in advance.

Please see my full configuration:
Router#sh run
Building configuration...

Current configuration : 8150 bytes
!
! Last configuration change at 05:40:32 UTC Wed Jul 4 2012 by
! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by
! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
--More--
ip name-server xxxxxxxxx
ip name-server yyyyyyyyy
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com

parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com

parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com

parameter-map type urlf-glob PERMITTEDSITES
pattern *

parameter-map type urlf-glob HOTMAIL
pattern hotmail.com
pattern *.hotmail.com

crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2049522683
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2049522683
revocation-check none
rsakeypair TP-self-signed-2049522683
!
crypto pki trustpoint tti
revocation-check crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4966226213
certificate self-signed 01
3082022B 30820194 A0030201 02111101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43647274
69666963 6174652D 32303439 35323236 3833301E 170D3132 30363232 30363332

quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn xxxxxx
license boot module c1900 technology-package datak9
username xxxxxxx privilege 15 password 0 xxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
match server-domain urlf-glob HOTMAIL
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 10
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TSQ-TRANSFORM esp-des esp-md5-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set TSQ-TRANSFORM
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERNET-FW-OUTSIDE
ip address xxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 172.17.0.11 172.17.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 yyyyyyyyy
ip route 192.168.1.0 255.255.255.0 172.17.0.6
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip yyyyyy yyyyyy any
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end


ladino

join:2001-02-24
USA
kudos:1

Your NAT statement needs to include a deny for LAN traffic going to the VPN clients
Use a different subnet for the VPN pool & not your LAN subnet
You can confirm ZBF is not the culprit by temporarily disabling it & reconnecting to VPN.


yadhutony

join:2012-07-09

Hi,

I followed your suggestion & modified my router configuration . But still can't access the LAN. I can ping upto the LAN interface of my router but can't access any other internal devices. When i checked the client machine's ipconfig the ip address [assigned by vpn server] and the default gateway seems to be same. Do i need to do any route for the vpn traffic. Please help me out !

Please see the new config:

Router#sh run
Building configuration...

Current configuration : 8514 bytes
!
! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxxxx
ip name-server xxxxxxx
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com

parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com

parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com

parameter-map type urlf-glob PERMITTEDSITES
pattern *

10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A
61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A
2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10
EC2C4377 7A2F4413 C8A8718B 2CD720
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn
license boot module c1900 technology-package datak9
!
!
username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx
username xxxxxxxxx privilege 10 password 0 xxxxxxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
zone-pair security VPN-TO-IN source VPN destination INSIDE
service-policy type inspect VPN-TO-IN-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group tsqvpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx xxxxxx any
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end


yadhutony

join:2012-07-09
reply to ladino

I have done the same but still not working. Please help me.
See the latest config:

Router#sh run
Building configuration...

Current configuration : 8514 bytes
!
! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxxxx
ip name-server xxxxxxx
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com

parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com

parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com

parameter-map type urlf-glob PERMITTEDSITES
pattern *

10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A
61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A
2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10
EC2C4377 7A2F4413 C8A8718B 2CD720
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn
license boot module c1900 technology-package datak9
!
!
username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx
username xxxxxxxxx privilege 10 password 0 xxxxxxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
zone-pair security VPN-TO-IN source VPN destination INSIDE
service-policy type inspect VPN-TO-IN-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group tsqvpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx xxxxxx any
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end



Teddzy

@metrong.com

I just noticed somethings....I might be wrong though...but also if you can post the schematics of your network that could help.

I think your routing is gat issues. I don't see where it say

ip route 10.0.0.0 0.0.0.255 172.17.0.6 (which i believe should be your routed point on your core switch or something). Truth is your vpn subnet doesn't know who to talk to to reach your LAN and get back. I feel you need to have that in place.

Like i said if you can provide us with your lan schematics that should help.

Cheers
Teddy



Teddzy

@metrong.com
reply to yadhutony

Hi Yad,

Hmmm let me just add my own little two cents to solve your problem.

I have looked into your config i actually found that there's no route pointing your vpn subnet to the LAN i mean something like this

ip route 10.0.0.0 0.0.0.255 172.17.0.6 (which i think should be your routed point on your core switch) You need to have a route statement of some sort for you to reach your lan. Even if you were running a dynamic routing protocol you'll have to redistribute the vpn subnet into the routing protocol for you to reach the lan.

Personally i'll say you keep off SDM for router configs....for me It messes up things! I just don't like the SDM especially in VPN configs.

Cheers
Teddy


yadhutony

join:2012-07-09

Hello Teddz,

Thank you for your reply. The problem was that the zone was not applied to any zone security and we needed it to have it on one to make it work. We don't need to put any route in that.
Anyway i'll definitely keep off SDM or CCP from my configs..

Regards,

Tony