Group,

I set up a simple VPN on my Cisco SOHO 91 using info that I've found around
the net and I'm having what seems to be an access list or maybe a NAT
problem. I can connect with the Cisco 4.6 VPN Client and I see packets
getting encrypted and decrypted, and the route listed in the client while
I'm connected looks fine, 10.10.10.0 255.255.255.0, but I still can't ping
anything on the LAN. Actually, I can ping but I'm not getting any packets
to come back through the tunnel. I've debugged ICMP so I can see the
responses being sent to the client but as I said, nothing comes back through
the tunnel. My other suspicion is that it's a NAT issue and it's somehow
not forwarding packets back through the tunnel. Anyway, I've included my
config below, if you could take a look and give me some advice on how to fix
it I'd appreciate it. By the way, I have an early version of the SOHO 91 so
I really can't upgrade the IOS because it's already has it's maximum amount
of memory at 32mb. I believe my version supports everything I'm trying to
do since I can connect and secure the tunnel with no problem, so hopefully
you all have an answer for me. I have to do all this manually because you
can't run SDM on a SOHO 91, but I've compared my config to an SDM version
and it looks pretty solid, but I'm sure I'm missing something. My version
info follows, and then the current config. And by the way, any other advice
about my config is welcomed...

Thanks very much, Jay.

Version info:

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc1)

CISCO SOHO91 (MPC857DSL) processor (revision 0x300) with 31130K/1638K bytes
of memory.
Processor board ID AMB08310BH3 (878404472), with hardware revision 0000
CPU rev number 7
Bridging software.
2 Ethernet/IEEE 802.3 interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Config:

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MyCisco91
!
memory-size iomem 5
no logging buffered
enable secret 5 XXXXX
enable password 7 XXXXX
!
username admin password 7 XXXXX
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa session-id common
ip subnet-zero
ip domain name dsl-hawaiiantel.net
ip name-server 4.2.2.4
ip name-server 4.2.2.5
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.20 10.10.10.30
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 4.2.2.4 4.2.2.5
domain-name dsl-hawaiiantel.net
lease 0 2
!
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ssh port 2222 rotary 1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group USERID1
key 0 XXXXX
dns 4.2.2.4 4.2.2.5
domain dsl-hawaiiantel.net
pool dynpool
acl 199
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map dynmap
!
ip local pool dynpool 10.10.10.20 10.10.10.30
!
ip nat inside source list 102 interface Ethernet1 overload
!
ip classless
ip http server
no ip http secure-server
!
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq telnet
access-list 111 permit udp any any eq echo
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 81
access-list 111 permit tcp any any eq 139
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 3389
access-list 111 permit udp any any eq 8767
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 2222
access-list 111 deny ip any any
!
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
rotary 1
length 25
!
scheduler max-task-time 5000
!
end