site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Equipment Support > Hardware By Brand > Cisco > [HELP] ISR 891 - Unable to connect to inside hosts via VPN

Search Topic:
 Uniqs:
756		 Share Topic
Posting?
Post a:
Post a:
Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread
AuthorAll Replies

mvalpreda

join:2006-07-20
Laguna Niguel, CA

[HELP] ISR 891 - Unable to connect to inside hosts via VPN

I am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. Sure I am missing something simple. Thanks!

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXX
enable password 7 XXX
!
aaa new-model
!
aaa authentication login vpnuserauth group radius local
aaa authorization network XXXVPN local
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3003131779
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3003131779
revocation-check none
rsakeypair TP-self-signed-3003131779
!
crypto pki certificate chain TP-self-signed-3003131779
certificate self-signed 01
quit
no ip source-route
!
ip domain name xxxx.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO891-K9 sn XXXX
!
username XXX privilege 15 secret 5 XXXX
!
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXVPN
key XXXVPNKEY
dns 192.168.77.25 8.8.8.8
domain xxxx.local
pool VPNPOOL
acl SPLIT-TUNNEL
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set 3DES-SHA
reverse-route
!
crypto map CRYPTO-OUTSIDE client authentication list vpnuserauth
crypto map CRYPTO-OUTSIDE isakmp authorization list XXXVPN
crypto map CRYPTO-OUTSIDE client configuration address respond
crypto map CRYPTO-OUTSIDE 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTO-OUTSIDE
!
interface Vlan1
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPNPOOL 192.168.100.100 192.168.100.150
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 XXXX 254
!
ip access-list extended NAT
permit ip 192.168.77.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
permit ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
!
ip radius source-interface Vlan1
access-list 1 permit 192.168.77.0 0.0.0.255
!
snmp-server community mdv RO
radius-server host 192.168.77.27 key 7 XXXX
!
control-plane
!
mgcp profile default
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password 7 XXXX
transport input telnet ssh
!
scheduler max-task-time 5000
end
to forum · permalink · 2011-09-28 23:58:53 ·


OVERKILL

join:2010-04-05
Peterborough, ON

Where is your route map?

to forum · permalink · 2011-10-03 10:22:35 ·

ladino

join:2001-02-24
USA

Try changing your NAT statement for ACL 1 to an extended ACL e.g ACL 101 as below & deny NAT from LAN to VPN hosts

access-list 101 deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.77.0 0.0.0.255 any
to forum · permalink · 2011-10-03 13:32:02 ·

mvalpreda

join:2006-07-20
Laguna Niguel, CA

I'm not sure what you are saying I should change or get rid of.

I did
no access-list 1 permit 192.168.77.0 0.0.0.255
access-list 101 deny ip 192.168.77.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.77.0 0.0.0.255 any

And still got a reply from the public IP when I ping an inside host.

to forum · permalink · 2011-10-03 15:45:56 ·

ladino

join:2001-02-24
USA

reply to mvalpreda
In addition the ACL change, you also need to replace your NAT statement using the below commands & try it again

cle ip nat trans *
no ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list 101 interface GigabitEthernet0 overload
to forum · permalink · 2011-10-03 21:18:30 ·
Forums > Equipment Support > Hardware By Brand > Cisco

Tuesday, 21-May 22:06:39 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics