09-28-2011 07:38 PM
I am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. Sure I am missing something simple. Thanks!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXX
enable password 7 XXX
!
aaa new-model
!
aaa authentication login vpnuserauth group radius local
aaa authorization network XXXVPN local
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3003131779
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3003131779
revocation-check none
rsakeypair TP-self-signed-3003131779
!
crypto pki certificate chain TP-self-signed-3003131779
certificate self-signed 01
quit
no ip source-route
!
ip domain name xxxx.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn XXXX
!
username XXX privilege 15 secret 5 XXXX
!
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXVPN
key XXXVPNKEY
dns 192.168.77.25 8.8.8.8
domain xxxx.local
pool VPNPOOL
acl SPLIT-TUNNEL
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set 3DES-SHA
reverse-route
!
crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
crypto map CRYPTO-OUTSIDE isakmp authorization list XXXVPN
crypto map CRYPTO-OUTSIDE client configuration address respond
crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTO-OUTSIDE
!
interface Vlan1
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPNPOOL 192.168.100.100 192.168.100.150
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 XXXX 254
!
ip access-list extended NAT
deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.77.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
!
ip radius source-interface Vlan1
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community mdv RO
radius-server host 192.168.77.27 key 7 XXXX
!
control-plane
!
mgcp profile default
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password 7 XXXX
transport input telnet ssh
!
scheduler max-task-time 5000
end
09-28-2011 07:51 PM
You've created the NAT ACL but you didn't apply it.
ip nat inside source list NAT interface GigabitEthernet0 overload
09-28-2011 08:22 PM
What command do I need to run to apply that?
I tried
int gigabitethernet0
ip access-group NAT in
Then I cannot get anywhere with the VPN client. I also tried adding
permit ip 192.168.100.0 0.0.0.255 192.168.77.0 0.0.0.255
which didn't help either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide