Options

VPN access-list help

sachaossachaos Member Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
I need in help in configuring a router to allow access from users on a VPN to a node on the other side of a site-to-site VPN.

Maybe I am missing something in my access-list configuration.

The 172.16.6.0 network can ping 10.200.1.2

The router can ping 10.200.1.2 using a source address of 172.16.6.1

The VPN users (172.16.100.0) cannot ping this node.

Here is the network.

31050987.jpg

Here are the configurations that I think apply.

ip local pool vpn_pool 172.16.100.1 172.16.100.6

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

route-map SDM_RMAP_1 permit 1
match ip address 101

crypto map mymap 20 ipsec-isakmp
set peer 33.33.33.33
set transform-set office1-to-office2
match address 170

crypto isakmp client configuration group vpnTest
key vpntest
pool vpn_pool
acl 155

access-list 101 remark DO NOT NAT TO INTERNET
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.100.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.1
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.2
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.3
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.4
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.5
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.6
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.7
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.8
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.9
access-list 101 deny ip 172.16.6.0 0.0.0.255 host 172.16.150.10
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.72
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 101 deny tcp host 172.16.6.7 eq 3389 any
access-list 101 permit ip 172.16.6.0 0.0.0.255 any

access-list 155 permit ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.7

access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.72

The VPN users can get to the 172.16.6.0 network without any problems. Also...the remote router 33.33.33.33 is not under my control. I just want to make sure everything is configured properly on my end.

Thanks for the help.
· Share on FacebookShare on Twitter
Sign In or Register to comment.