Question : Unable to access LAN

I am new to Cisco equipment, so am using the 871W Router for learning. I used the SDM to setup the Easy VPN Server.

I can connect no problem using the Cisco VPN Client. However once connected, I am unable to access any of the resources. If I ping 10.5.1.30, my printer, it times out.

If I monitor the terminal I don't see anything. Looking at the statistics in the client, I see encrypted packets but no decrypted packets. It appears the request is being sent through the tunnel but not reaching the 10.5.1.0/24 network.

Attached is my configuration, any help is appreciated!

Code Snippet:

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:

           
           
             Current configuration : 11249 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname natav
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 x
enable password 7 x
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1286443475
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1286443475
 revocation-check none
 rsakeypair TP-self-signed-1286443475
!
!
crypto pki certificate chain TP-self-signed-1286443475
 certificate self-signed 02
xxxxx
        quit
dot11 syslog
!
dot11 ssid weinet
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 x
!
dot11 ssid weinet2
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 x
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.2.1 10.5.2.99
ip dhcp excluded-address 10.5.1.1 10.5.1.14
!
ip dhcp pool Internal-net
   import all
   network 10.5.1.0 255.255.255.0
   default-router 10.5.1.1
   domain-name weinraub
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 10.5.2.0 255.255.255.0
   default-router 10.5.2.1
   domain-name weinraub
   lease 4
!
ip dhcp pool colourlaser
   host 10.5.1.30 255.255.255.0
   hardware-address 001a.4b14.9078 ieee802
   client-name colourlaser
!
!
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 900
ip inspect one-minute high 1000
ip inspect one-minute low 900
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name weinraub.local
!
!
!
username jweinraub privilege 15 password 7 x
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group weinraub-vpn
 key [for some reason, this is plain text...]
 dns 167.206.245.129 167.206.245.130
 domain weinraub.local
 pool SDM_POOL_1
 acl 103
 include-local-lan
 max-users 5
 netmask 255.255.255.0
 banner ^CWelcome to the Weinraub VPN Server!
Unauthorised access will result in severe criminal and civil liabilities!  ^C
crypto isakmp profile sdm-ike-profile-1
   match identity group weinraub-vpn
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$
 ip address dhcp client-id FastEthernet4
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 ssid weinet
 !
 ssid weinet2
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 description Guest wireless LAN - routed WLAN
 encapsulation dot1Q 20
 ip address 10.5.2.1 255.255.255.0
 ip access-group Guest-ACL in
 ip inspect MYFW out
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network
 ip address 10.5.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool SDM_POOL_1 10.5.3.15 10.5.3.26
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http access-class 4
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
 remark SDM_ACL Category=17
 permit ip any 10.5.1.0 0.0.0.255
 deny   ip any any
ip access-list extended Internet-inbound-ACL
 permit tcp any any eq 10000
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit udp host 167.206.245.130 eq domain any
 permit ahp any any
 permit udp host 167.206.245.129 eq domain any
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 25919
 permit gre any any
 permit esp any any
 deny   tcp any any log
!
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 10.5.2.0 0.0.0.255
access-list 1 permit 10.5.3.0 0.0.0.255
access-list 1 deny   any log
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.5.1.15
access-list 2 permit 192.168.9.0 0.0.0.255
access-list 2 permit 10.5.1.0 0.0.0.255
access-list 2 permit 10.3.0.0 0.0.255.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.5.1.15
access-list 3 permit 71.172.55.11
access-list 3 permit 68.197.65.55
access-list 3 permit 68.197.0.0 0.0.255.255
access-list 4 permit 10.5.1.15
access-list 4 remark Auto generated by SDM Management Access feature
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 68.197.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 68.197.0.0 0.0.255.255 host 10.5.1.1 eq 22
access-list 100 permit tcp host 10.5.1.15 host 10.5.1.1 eq 22
access-list 100 permit tcp host 68.197.65.55 host 10.5.1.1 eq 22
access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 10.5.1.1 eq 22
access-list 100 permit tcp 10.5.1.0 0.0.0.255 host 10.5.1.1 eq 22
access-list 100 permit tcp 10.3.0.0 0.0.255.255 host 10.5.1.1 eq 22
access-list 100 permit tcp 68.197.0.0 0.0.255.255 host 10.5.1.1 eq www
access-list 100 permit tcp host 68.197.65.55 host 10.5.1.1 eq www
access-list 100 permit tcp host 71.172.55.11 host 10.5.1.1 eq www
access-list 100 permit tcp host 10.5.1.15 host 10.5.1.1 eq www
access-list 100 permit tcp 68.197.0.0 0.0.255.255 host 10.5.1.1 eq 443
access-list 100 permit tcp host 68.197.65.55 host 10.5.1.1 eq 443
access-list 100 permit tcp host 71.172.55.11 host 10.5.1.1 eq 443
access-list 100 permit tcp host 10.5.1.15 host 10.5.1.1 eq 443
access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 10.5.1.1 eq 443
access-list 100 permit tcp 10.5.1.0 0.0.0.255 host 10.5.1.1 eq 443
access-list 100 permit tcp 10.3.0.0 0.0.255.255 host 10.5.1.1 eq 443
access-list 100 permit tcp 68.197.0.0 0.0.255.255 host 10.5.1.1 eq cmd
access-list 100 permit tcp host 10.5.1.15 host 10.5.1.1 eq cmd
access-list 100 permit tcp host 68.197.65.55 host 10.5.1.1 eq cmd
access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 10.5.1.1 eq cmd
access-list 100 permit tcp 10.5.1.0 0.0.0.255 host 10.5.1.1 eq cmd
access-list 100 permit tcp 10.3.0.0 0.0.255.255 host 10.5.1.1 eq cmd
access-list 100 permit udp 68.197.0.0 0.0.255.255 host 10.5.1.1 eq snmp
access-list 100 permit udp host 10.5.1.15 host 10.5.1.1 eq snmp
access-list 100 permit udp host 68.197.65.55 host 10.5.1.1 eq snmp
access-list 100 permit tcp any host 10.5.1.1 eq 22
access-list 100 permit ip any any
access-list 100 deny   tcp any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 68.197.0.0 0.0.255.255 any
access-list 101 permit ip host 10.5.1.15 any
access-list 101 permit ip host 68.197.65.55 any
access-list 101 permit ip 192.168.9.0 0.0.0.255 any
access-list 101 permit ip 10.5.1.0 0.0.0.255 any
access-list 101 permit ip 10.3.0.0 0.0.255.255 any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 25919
access-list 101 deny   tcp any any log
access-list 103 permit ip 10.5.1.0 0.0.0.255 any
access-list 103 permit ip 10.5.2.0 0.0.0.255 any
access-list 103 permit ip 10.5.3.0 0.0.0.255 any
snmp-server community public RO
!
!
!
control-plane
!
bridge 1 route ip
banner motd ^C
       ******************************************
       *     Unauthorized access prohibited     *
       ******************************************
^C
!
line con 0
 password 7 x
 no modem enable
line aux 0
line vty 0 4
 access-class 101 in
 exec-timeout 60 0
 privilege level 15
 password 7 x
 transport input ssh
control-plane
!
bridge 1 route ip
banner motd ^C
       ******************************************
       *     Unauthorized access prohibited     *
       ******************************************
^C
!
line con 0
 password 7 x
 no modem enable
line aux 0
line vty 0 4
 access-class 101 in
 exec-timeout 60 0
 privilege level 15
 password 7 x
 transport input ssh
!
scheduler max-task-time 5000
end

           
         

Open in New Window Select All

Answer : Unable to access LAN

Hi there,

Traffic returning from your internal network to your VPN Remote clients are being NAT'd from this statement:

access-list 1 remark SDM_ACL Category=18
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 10.5.2.0 0.0.0.255
access-list 1 permit 10.5.3.0 0.0.0.255
access-list 1 deny any log

You will need to remove this access list and create an extended access list. Due to the wierd numbering of your VPN clients with no regards to wildcarding, you will have to create ALOT of access-lists. You may choose to group them up if you have time to calculate these masks :)

access-list 175 remark NAT_TRAVERSAL
access-list 175 deny ip any host 10.5.3.15
access-list 175 deny ip any host 10.5.3.16
....(add more for the rest of your vpn client ip addresses..)
access-list 175 deny ip any host 10.5.3.26
access-list 175 permit ip 10.5.1.0 0.0.0.255 any
access-list 175 permit ip 10.5.2.0 0.0.0.255 any
access-list 175 permit ip 10.5.3.0 0.0.0.255 any
access-list 175 deny ip any any log

and change your NAT statement from
Line 235: ip nat inside source list 1 interface FastEthernet4 overload

to:
ip nat inside source list 175 interface FastEthernet4 overload

This is the simpler way of doing things. You may choose to use route-maps if you are dealing with multiple interfaces. Good luck :)

p/s-Checked for reverse route settings but I'm not too sure with SDM settings as they have different ways of configuring 1 simple thing!