Create ACL 101 permit 10.0.0.0 0.0.0.255 any Then under the " crypto isakmp client configuration group SomeVPN" Add "ACL 101"
Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] [email protected] [Blog] http://cnc-networksecurity.blogspot.com/ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Networkers Sent: Monday, January 05, 2009 10:38 AM To: [email protected] Subject: [c-nsp] Cisco Software Client -> Router VPN issue. I¹m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can¹t surf to the outside internet over that tunneld connection. I¹ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn¹t get NATed properly, but I¹m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
