Cisco 857 Vpn Connects but no local lan access 1

[kevwiener]

hi have a cisco 857 router setup, its on the latest IOS (C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T17) the vpn connects fine and i get assigned my ip address from my vpn pool i can ping the router address no problem but i cant get on any of my network shares or ping anything else, i know this is a ACL issue but i cant for the life in me figure out what the issues is, i have tried every combination of ACL i can think of but it still wont work, i have had it where i can ping my server on the lan but then cant ping the router

any help would be appreciated attatched is my config.

thanks
kev

 

[kevwiener]

also not sure if this is correct or not but when i am connected to the vpn and i ping the router i get the reply address of my WAN IP ??

 

[kevwiener]

please see new attachment other one was a old config

 

[unclerico]

Try changing the order of the ACEs in your ACL 100... Put the deny statement before the permit statement

 

[kevwiener]

legend i knew it would be something stupid like that looool

thats a mistake i wont be making in the future for sure

thanks a lot

kev

 

[kevwiener]

just another one for you so i have rules in place for my laptop so i can VNC in from anywhere but this wont work when im on the vpn unless i can put in a extenable rule in to bypass the NAT i have done this at my workplace so that i can remote into servers using RDP when on the vpn but for some reason it wont let me add the rule in on my own router

below is a snippet from the ACL basically what im trying to achieve is adding the below in brackets (without the brackets in the code)

ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.120 5900 interface Dialer0 (5900 route-map Bypass-NAT extendable)
ip nat inside source static tcp 192.168.2.120 32122 interface Dialer0 32122
ip nat inside source static tcp 192.168.2.120 5800 interface Dialer0 (5800 route-map Bypass-NAT extendable)
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map Bypass-NAT deny 10
match ip address 120
!
route-map Bypass-NAT permit 20

 

[unclerico]

so you're trying to access the inside resource by using the dialer0 interface while connected to the VPN?? have you tried simply accessing 192.168.2.120 directly while connected via the VPN?? by exempting 192.168.2/24 from the NAT process while communicating with the 192.168.5/24 network, you shouldn't need to worry about this.

 

[kevwiener]

yes i tried it directly just the vnc wont work through ports 5800 and 5900 thats why i thought i might have to make those entries exempt from NAT so that when im on the .5/24 network it doesnt try to go via the dialer0 interface if that makes sense.

 

[kevwiener]

it does work if it take out the two rules for ports 5800 and 5900 but then i cant get into my laptop when not on the vpn, is it possible to have it both ways ?

 

[kevwiener]

ok i worked it out
so basically it wouldnt let me use my Bypass-NAT route map because i was telling it to use the Dialer0 interface so i changed this for my external ip and the put in the rules as follows

ip nat inside source static tcp 192.168.2.120 5800 122.***.***.*** 5800 route-map Bypass-NAT extendable
ip nat inside source static tcp 192.168.2.120 5900 122.***.***.*** 5900 route-map Bypass-NAT extendable

i can now connect to the vpn and VNC to the local address and also VNC straight to the external ip when not on the VPN

 

[unclerico]

Absolutely it is possible. Put your static NAT entries back and change your ACL 110 to read:
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

 

[unclerico]

hey kev, nevermind my last post. i had been working on some ASA's earlier and threw myself off for a second. sorry if i confused you

 

[kevwiener]

hey you didnt confuse me you led me to re look at what i was doing and i saw where i was going wrong