VPN access-list help
sachaos
Member Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
I need in help in configuring a router to allow access from users on a VPN to a node on the other side of a site-to-site VPN.
Maybe I am missing something in my access-list configuration.
The 172.16.6.0 network can ping 10.200.1.2
The router can ping 10.200.1.2 using a source address of 172.16.6.1
The VPN users (172.16.100.0) cannot ping this node.
Here is the network.
Here are the configurations that I think apply.
ip local pool vpn_pool 172.16.100.1 172.16.100.6
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
crypto map mymap 20 ipsec-isakmp
set peer 33.33.33.33
set transform-set office1-to-office2
match address 170
crypto isakmp client configuration group vpnTest
key vpntest
pool vpn_pool
acl 155
access-list 101 remark DO NOT NAT TO INTERNET
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.7
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.8
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.9
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.10
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.72
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 101 deny tcp host 172.16.6.7 eq 3389 any
access-list 101 permit ip 172.16.6.0 0.0.0.255 any
access-list 155 permit ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.7
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.72
The VPN users can get to the 172.16.6.0 network without any problems. Also...the remote router 33.33.33.33 is not under my control. I just want to make sure everything is configured properly on my end.
Thanks for the help.
Maybe I am missing something in my access-list configuration.
The 172.16.6.0 network can ping 10.200.1.2
The router can ping 10.200.1.2 using a source address of 172.16.6.1
The VPN users (172.16.100.0) cannot ping this node.
Here is the network.
Here are the configurations that I think apply.
ip local pool vpn_pool 172.16.100.1 172.16.100.6
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
route-map SDM_RMAP_1 permit 1
match ip address 101
crypto map mymap 20 ipsec-isakmp
set peer 33.33.33.33
set transform-set office1-to-office2
match address 170
crypto isakmp client configuration group vpnTest
key vpntest
pool vpn_pool
acl 155
access-list 101 remark DO NOT NAT TO INTERNET
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.7
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.8
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.9
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.10
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.72
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 101 deny tcp host 172.16.6.7 eq 3389 any
access-list 101 permit ip 172.16.6.0 0.0.0.255 any
access-list 155 permit ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.7
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.72
The VPN users can get to the 172.16.6.0 network without any problems. Also...the remote router 33.33.33.33 is not under my control. I just want to make sure everything is configured properly on my end.
Thanks for the help.