Announcement

Collapse
No announcement yet.

Remote Access VPN - NAT issue?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remote Access VPN - NAT issue?

    Hi,
    I have configured a cisco 878 router as a remote access VPN. I can connect to the VPN fine, but I have no access to hosts on the internal LAN.

    The config;
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname stability14
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    !
    aaa new-model
    !
    !
    aaa authentication login vpnLogin local
    aaa authorization network vpnAuth local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    !
    ip dhcp pool LAN_Pool
    network 10.136.13.0 255.255.255.0
    default-router 10.136.13.254
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name yourdomain.com
    ip name-server 195.10.102.11
    ip name-server 195.10.102.12
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxx
    username sandvine secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    !
    controller DSL 0
    mode atm
    line-term cpe
    line-mode 2-wire line-zero
    dsl-mode shdsl symmetric annex B
    line-rate auto
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpn
    key xxxxxxxxxxxxx
    pool vpnPool
    acl 100
    include-local-lan
    !
    !
    crypto ipsec transform-set vpnTransform esp-3des esp-md5-hmac
    !
    crypto dynamic-map vpnDynmap 10
    set transform-set vpnTransform
    reverse-route
    !
    !
    crypto map vpnMap client authentication list vpnLogin
    crypto map vpnMap isakmp authorization list vpnAuth
    crypto map vpnMap client configuration address respond
    crypto map vpnMap 10 ipsec-isakmp dynamic vpnDynmap
    !
    !
    !
    interface Loopback0
    ip address 10.255.255.255 255.255.255.255
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    hold-queue 224 in
    !
    interface FastEthernet0
    no cdp enable
    !
    interface FastEthernet1
    no cdp enable
    !
    interface FastEthernet2
    no cdp enable
    !
    interface FastEthernet3
    switchport mode trunk
    no cdp enable
    !
    interface Vlan1
    description LAN
    ip address 10.136.13.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxxxxxxxxx
    ppp chap password 7 xxxxxxxxxxxxxxxxxxx
    ppp ipcp dns request
    crypto map vpnMap
    hold-queue 224 in
    !
    ip local pool vpnPool 192.168.100.100 192.168.100.105
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static tcp 10.255.255.255 23 interface Dialer0 4000
    ip nat inside source route-map NONAT interface Dialer0 overload
    !
    logging trap debugging
    access-list 1 permit 10.136.13.0 0.0.0.255
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 100 permit ip 10.136.13.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 130 deny ip 10.136.13.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 130 permit ip 10.136.13.0 0.0.0.255 any
    access-list 140 permit ip 192.168.100.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map NONAT permit 10
    match ip address 130
    !
    !
    line con 0
    password 7 xxxxxxxxxxxxx
    no modem enable
    line aux 0
    line vty 0 4
    access-class 10 in
    password 7 xxxxxxxxxxxxxxxx
    stopbits 1
    !
    scheduler max-task-time 5000
    end


    Connected to the other end of trunk on fa3 is a 3750. This has the host devices that I want to connect to over the VPN. The ip address of vlan1 on the 3750 is 10.136.13.99. I can ping this and any hosts on the 3750 from the 878.

    When I connect to the VPN, I can ping the ip address 10.136.13.254, and I can also ping the IP address assigned to the client from the 878

    What I cant do is reach any of the host devices on the 3750. I suspect this is down to NAT but Im stuck on how to fix it.

    Any help or suggestions would be most helpful.

    Kind Regards
    Mark.
    Last edited by mark.kneen; 24th June 2009, 15:58.

  • #2
    Re: Remote Access VPN - NAT issue?

    I fixed it, the host I was trying to contact had a default route manually set. This was different to what I thought it was. Once I change that, it all works...

    Comment

    Working...
    X