|
[HELP] CAN'T ACCESS LAN WITH EASY VPN CONFIGURATION Hi, I have configured an easy vpn server in cisco 1905 ISR using ccp. The router was already configured with zone based firewall. With the help of vpn client i can reach only upto the internal interface of the router but can't access the LAN of my company. Do i need to change any configuration in ZBF since it is configured as 'deny any' from outside to inside ? If then what all protocols do i need to match ? Also is there any NAT exemption for the VPN clients ? Please help me out !! Thanks in advance.
Please see my full configuration: Router#sh run Building configuration...
Current configuration : 8150 bytes ! ! Last configuration change at 05:40:32 UTC Wed Jul 4 2012 by ! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by ! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! security passwords min-length 6 no logging buffered enable secret 5 xxxxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! no ipv6 cef ip source-route no ip gratuitous-arps ip cef ! --More-- ip name-server xxxxxxxxx ip name-server yyyyyyyyy ! multilink bundle-name authenticated !
parameter-map type urlfpolicy local TSQ-URL-FILTER alert off block-page message "Blocked as per policy" parameter-map type urlf-glob FACEBOOK pattern facebook.com pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE pattern youtube.com pattern *.youtube.com
parameter-map type urlf-glob CRICKET pattern espncricinfo.com pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1 pattern webcric.com pattern *.webcric.com
parameter-map type urlf-glob YAHOO pattern *.yahoo.com pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES pattern *
parameter-map type urlf-glob HOTMAIL pattern hotmail.com pattern *.hotmail.com
crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-2049522683 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2049522683 revocation-check none rsakeypair TP-self-signed-2049522683 ! crypto pki trustpoint tti revocation-check crl ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! ! crypto pki certificate chain TP-self-signed-4966226213 certificate self-signed 01 3082022B 30820194 A0030201 02111101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43647274 69666963 6174652D 32303439 35323236 3833301E 170D3132 30363232 30363332
quit crypto pki certificate chain tti crypto pki certificate chain test_trustpoint_config_created_for_sdm license udi pid CISCO1905/K9 sn xxxxxx license boot module c1900 technology-package datak9 username xxxxxxx privilege 15 password 0 xxxxx ! redundancy ! ! ! ! ! class-map type inspect match-any tsq-inspection-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match protocol l2tp class-map type urlfilter match-any BLOCKEDSITES match server-domain urlf-glob FACEBOOK match server-domain urlf-glob YOUTUBE match server-domain urlf-glob CRICKET match server-domain urlf-glob CRICKET1 match server-domain urlf-glob HOTMAIL class-map type urlfilter match-any PERMITTEDSITES match server-domain urlf-glob PERMITTEDSITES class-map type inspect match-all tsq-insp-traffic match class-map tsq-inspection-traffic class-map type inspect match-all tsq-http match protocol http class-map type inspect match-any tsq-icmp match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all tsq-invalid-src match access-group 100 class-map type inspect match-all tsq-icmp-access match class-map tsq-icmp ! ! policy-map type inspect urlfilter TSQBLOCKEDSITES class type urlfilter BLOCKEDSITES log reset class type urlfilter PERMITTEDSITES allow log policy-map type inspect SELF-TO-OUT-POLICY class type inspect tsq-icmp-access inspect class class-default pass policy-map type inspect IN-TO-OUT-POLICY class type inspect tsq-invalid-src drop log class type inspect tsq-http inspect service-policy urlfilter TSQBLOCKEDSITES class type inspect tsq-insp-traffic inspect class class-default drop policy-map type inspect OUT-TO-IN-POLICY class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUT-TO-IN-POLICY zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect IN-TO-OUT-POLICY zone-pair security SELF-TO-OUT source self destination OUTSIDE service-policy type inspect SELF-TO-OUT-POLICY ! crypto ctcp port 10000 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 group 2 ! crypto isakmp client configuration group vpntunnel key xxxxxxx pool SDM_POOL_1 include-local-lan max-users 10 crypto isakmp profile ciscocp-ike-profile-1 match identity group vpntunnel client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set TSQ-TRANSFORM esp-des esp-md5-hmac ! crypto ipsec profile CiscoCP_Profile1 set transform-set TSQ-TRANSFORM set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address ip mask-reply ip directed-broadcast shutdown ! interface GigabitEthernet0/0 description LAN INTERFACE-FW-INSIDE ip address 172.17.0.71 255.255.0.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto ! interface GigabitEthernet0/1 description WAN-INTERNET-INTERNET-FW-OUTSIDE ip address xxxxxx yyyyyyy ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto ! interface Serial0/0/0 no ip address ip mask-reply ip directed-broadcast shutdown no fair-queue clock rate 2000000 ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 172.17.0.11 172.17.0.20 ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 yyyyyyyyy ip route 192.168.1.0 255.255.255.0 172.17.0.6 ip route 192.168.4.0 255.255.255.0 172.17.0.6 ! access-list 1 permit 172.17.0.0 0.0.255.255 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip yyyyyy yyyyyy any ! ! ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input rlogin ssh ! scheduler allocate 20000 1000 end |
|
|
ladino
Member
2012-Jul-10 8:57 am
Your NAT statement needs to include a deny for LAN traffic going to the VPN clients Use a different subnet for the VPN pool & not your LAN subnet You can confirm ZBF is not the culprit by temporarily disabling it & reconnecting to VPN. |
|
|
Hi,
I followed your suggestion & modified my router configuration . But still can't access the LAN. I can ping upto the LAN interface of my router but can't access any other internal devices. When i checked the client machine's ipconfig the ip address [assigned by vpn server] and the default gateway seems to be same. Do i need to do any route for the vpn traffic. Please help me out !
Please see the new config:
Router#sh run Building configuration...
Current configuration : 8514 bytes ! ! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by ! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by ! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! security passwords min-length 6 no logging buffered enable secret 5 xxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! no ipv6 cef ip source-route no ip gratuitous-arps ip cef ! ! ! ! ! ip name-server xxxxxxx ip name-server xxxxxxx ! multilink bundle-name authenticated !
parameter-map type urlfpolicy local TSQ-URL-FILTER alert off block-page message "Blocked as per policy" parameter-map type urlf-glob FACEBOOK pattern facebook.com pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE pattern youtube.com pattern *.youtube.com
parameter-map type urlf-glob CRICKET pattern espncricinfo.com pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1 pattern webcric.com pattern *.webcric.com
parameter-map type urlf-glob YAHOO pattern *.yahoo.com pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES pattern *
10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A 61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A 2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10 EC2C4377 7A2F4413 C8A8718B 2CD720 quit crypto pki certificate chain tti crypto pki certificate chain test_trustpoint_config_created_for_sdm license udi pid CISCO1905/K9 sn license boot module c1900 technology-package datak9 ! ! username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx username xxxxxxxxx privilege 10 password 0 xxxxxxxxx ! redundancy ! ! ! ! ! class-map type inspect match-any tsq-inspection-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match protocol l2tp class-map type urlfilter match-any BLOCKEDSITES match server-domain urlf-glob FACEBOOK match server-domain urlf-glob YOUTUBE match server-domain urlf-glob CRICKET match server-domain urlf-glob CRICKET1 class-map type urlfilter match-any PERMITTEDSITES match server-domain urlf-glob PERMITTEDSITES class-map type inspect match-all tsq-insp-traffic match class-map tsq-inspection-traffic class-map type inspect match-all vpn-access match access-group 121 class-map type inspect match-all tsq-http match protocol http class-map type inspect match-any tsq-icmp match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all tsq-invalid-src match access-group 100 class-map type inspect match-all tsq-icmp-access match class-map tsq-icmp ! ! policy-map type inspect urlfilter TSQBLOCKEDSITES class type urlfilter BLOCKEDSITES log reset class type urlfilter PERMITTEDSITES allow log policy-map type inspect SELF-TO-OUT-POLICY class type inspect tsq-icmp-access inspect class class-default pass policy-map type inspect VPN-TO-IN-POLICY class type inspect vpn-access inspect class class-default drop policy-map type inspect IN-TO-OUT-POLICY class type inspect tsq-invalid-src drop log class type inspect tsq-http inspect service-policy urlfilter TSQBLOCKEDSITES class type inspect tsq-insp-traffic inspect class class-default drop policy-map type inspect OUT-TO-IN-POLICY class type inspect vpn-access inspect class class-default drop ! zone security INSIDE zone security OUTSIDE zone security VPN zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUT-TO-IN-POLICY zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect IN-TO-OUT-POLICY zone-pair security SELF-TO-OUT source self destination OUTSIDE service-policy type inspect SELF-TO-OUT-POLICY zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpntunnel key xxxxxxxxxxxxxxxx pool SDM_POOL_1 include-local-lan max-users 20 netmask 255.0.0.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group tsqvpntunnel client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address ip mask-reply ip directed-broadcast shutdown ! interface GigabitEthernet0/0 description LAN INTERFACE-FW-INSIDE ip address 172.17.0.71 255.255.0.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto ! interface GigabitEthernet0/1 description WAN-INTERNET-INTERFACE-FW-OUTSIDE ip address xxxxxxx yyyyyyy ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto ! interface Serial0/0/0 no ip address ip mask-reply ip directed-broadcast shutdown no fair-queue clock rate 2000000 ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 zone-member security VPN tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20 ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ! ip nat inside source list 120 interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx ip route 192.168.4.0 255.255.255.0 172.17.0.6 ! access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip xxxxxx xxxxxx any access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255 access-list 120 permit ip 172.17.0.0 0.0.255.255 any access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255 ! ! ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input rlogin ssh ! scheduler allocate 20000 1000 end |
|
yadhutony |
to ladino
I have done the same but still not working. Please help me. See the latest config:
Router#sh run Building configuration...
Current configuration : 8514 bytes ! ! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by ! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by ! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! security passwords min-length 6 no logging buffered enable secret 5 xxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! no ipv6 cef ip source-route no ip gratuitous-arps ip cef ! ! ! ! ! ip name-server xxxxxxx ip name-server xxxxxxx ! multilink bundle-name authenticated !
parameter-map type urlfpolicy local TSQ-URL-FILTER alert off block-page message "Blocked as per policy" parameter-map type urlf-glob FACEBOOK pattern facebook.com pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE pattern youtube.com pattern *.youtube.com
parameter-map type urlf-glob CRICKET pattern espncricinfo.com pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1 pattern webcric.com pattern *.webcric.com
parameter-map type urlf-glob YAHOO pattern *.yahoo.com pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES pattern *
10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A 61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A 2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10 EC2C4377 7A2F4413 C8A8718B 2CD720 quit crypto pki certificate chain tti crypto pki certificate chain test_trustpoint_config_created_for_sdm license udi pid CISCO1905/K9 sn license boot module c1900 technology-package datak9 ! ! username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx username xxxxxxxxx privilege 10 password 0 xxxxxxxxx ! redundancy ! ! ! ! ! class-map type inspect match-any tsq-inspection-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match protocol l2tp class-map type urlfilter match-any BLOCKEDSITES match server-domain urlf-glob FACEBOOK match server-domain urlf-glob YOUTUBE match server-domain urlf-glob CRICKET match server-domain urlf-glob CRICKET1 class-map type urlfilter match-any PERMITTEDSITES match server-domain urlf-glob PERMITTEDSITES class-map type inspect match-all tsq-insp-traffic match class-map tsq-inspection-traffic class-map type inspect match-all vpn-access match access-group 121 class-map type inspect match-all tsq-http match protocol http class-map type inspect match-any tsq-icmp match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all tsq-invalid-src match access-group 100 class-map type inspect match-all tsq-icmp-access match class-map tsq-icmp ! ! policy-map type inspect urlfilter TSQBLOCKEDSITES class type urlfilter BLOCKEDSITES log reset class type urlfilter PERMITTEDSITES allow log policy-map type inspect SELF-TO-OUT-POLICY class type inspect tsq-icmp-access inspect class class-default pass policy-map type inspect VPN-TO-IN-POLICY class type inspect vpn-access inspect class class-default drop policy-map type inspect IN-TO-OUT-POLICY class type inspect tsq-invalid-src drop log class type inspect tsq-http inspect service-policy urlfilter TSQBLOCKEDSITES class type inspect tsq-insp-traffic inspect class class-default drop policy-map type inspect OUT-TO-IN-POLICY class type inspect vpn-access inspect class class-default drop ! zone security INSIDE zone security OUTSIDE zone security VPN zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUT-TO-IN-POLICY zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect IN-TO-OUT-POLICY zone-pair security SELF-TO-OUT source self destination OUTSIDE service-policy type inspect SELF-TO-OUT-POLICY zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpntunnel key xxxxxxxxxxxxxxxx pool SDM_POOL_1 include-local-lan max-users 20 netmask 255.0.0.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group tsqvpntunnel client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address ip mask-reply ip directed-broadcast shutdown ! interface GigabitEthernet0/0 description LAN INTERFACE-FW-INSIDE ip address 172.17.0.71 255.255.0.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto ! interface GigabitEthernet0/1 description WAN-INTERNET-INTERFACE-FW-OUTSIDE ip address xxxxxxx yyyyyyy ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto ! interface Serial0/0/0 no ip address ip mask-reply ip directed-broadcast shutdown no fair-queue clock rate 2000000 ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 zone-member security VPN tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20 ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ! ip nat inside source list 120 interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx ip route 192.168.4.0 255.255.255.0 172.17.0.6 ! access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip xxxxxx xxxxxx any access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255 access-list 120 permit ip 172.17.0.0 0.0.255.255 any access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255 ! ! ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input rlogin ssh ! scheduler allocate 20000 1000 end |
|
|
|
Teddzy
Anon
2012-Jul-13 7:54 am
I just noticed somethings....I might be wrong though...but also if you can post the schematics of your network that could help.
I think your routing is gat issues. I don't see where it say
ip route 10.0.0.0 0.0.0.255 172.17.0.6 (which i believe should be your routed point on your core switch or something). Truth is your vpn subnet doesn't know who to talk to to reach your LAN and get back. I feel you need to have that in place.
Like i said if you can provide us with your lan schematics that should help.
Cheers Teddy |
|
Teddzy |
to yadhutony
Hi Yad,
Hmmm let me just add my own little two cents to solve your problem.
I have looked into your config i actually found that there's no route pointing your vpn subnet to the LAN i mean something like this
ip route 10.0.0.0 0.0.0.255 172.17.0.6 (which i think should be your routed point on your core switch) You need to have a route statement of some sort for you to reach your lan. Even if you were running a dynamic routing protocol you'll have to redistribute the vpn subnet into the routing protocol for you to reach the lan.
Personally i'll say you keep off SDM for router configs....for me It messes up things! I just don't like the SDM especially in VPN configs.
Cheers Teddy |
|
|
Hello Teddz,
Thank you for your reply. The problem was that the zone was not applied to any zone security and we needed it to have it on one to make it work. We don't need to put any route in that. Anyway i'll definitely keep off SDM or CCP from my configs..
Regards,
Tony |
|