06-19-2014 12:00 PM
i´m really stuck on trying to reach all my vlans on my 3200 controller via VPN Ipsec. Hope to get some help here.
My configuration is this:
controller ip :172.16.0.254
vlan 10 192.168.0.0
vlan 20 10.1.99.0
IPSEC pool: 192.168.0.240-254
Role: default vpn role. ( i removed the allow all and added the src-nat: user any any src-nat)
I connect and get 192.168.0.x adress. Router adress 172.16.0.254
I am trying to reach the 10.1.99.0 network but can´t.
Appreciate some help, i´m kinda of new to this.
06-19-2014 12:26 PM - edited 06-19-2014 12:39 PM
Just to clarify, you're trying to VPN from a device to the controller, correct? Your VPN client says you're connected, but yet you cannot reach the 10.1.99.0 network once connected?
06-19-2014 12:49 PM
Check your vpn user role to make sure that your first ACL is "any any src-nat <pool>". If you haven't already, you'll need to create a source nat pool that includes an IP address on your controller that your VPN users will be NAT'd by.
I don't recall if this is absolutely necessary, but I also included a "permit any any" AFTER the src-nat ACL. Working fine for me.
06-19-2014 02:04 PM
My first ACL is any any src-nat .I made a nat pool :
Start IP Address 192.168.0.240
end ip 192.168.0.254
Destination NAT IP Address 10.1.99.1
Then added the permit any any, but not working.
Is the Nat pool correctly set up?
Should i select the "Used by VPN" also?
Permit any any is at the end.
06-19-2014 02:46 PM
Close, but the NAT pool actually just needs to be a single IP address. In other words, the starting & ending IP should be the same IP on the controller that you want traffic to be NAT'd out of. Also, the destination IP should be the same single IP.
I'd like to better understand why the nat pool has to be configured like that, but I do know that it works.