857 con client VPN

[alby]

Ciao a tutti.
Ho provato a configurare un 857 che permetta l'accesso VPN.
Riesco ad autenticami, navigare verso l'esterno ma non riesco a raggiungere i client della lan (nè tantomeno pingarli).
Ho tolto le ACL dalle interfaccie ma non c'è niente da fare.
Chi può darmi una mano?

Ecco la conf:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname routergw
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login UTENTE-VPN local
aaa authorization network GRUPPO-VPN local
!
aaa session-id common
!
resource policy
!
clock timezone ORASOLARE 1
clock summer-time ORALEGALE recurring last Sat Mar 2:00 last Sat Oct 3:00
!
!
ip cef
ip inspect name FW icmp
ip inspect name FW tcp
ip inspect name FW udp
no ip domain lookup
ip domain name interbusiness.it
ip name-server 151.99.125.1
ip name-server 151.99.125.3
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-3985040185
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3985040185
revocation-check none
rsakeypair TP-self-signed-3985040185
!
!
username albyalby password 7 XXXXXXX
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key keyvpn
pool VPN-IP-POOL
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto dynamic-map VPN-DYNMAP 10
set transform-set VPN-SET
!
!
crypto map VPN-MAP client authentication list UTENTE-VPN
crypto map VPN-MAP isakmp authorization list GRUPPO-VPN
crypto map VPN-MAP client configuration address respond
crypto map VPN-MAP 10 ipsec-isakmp dynamic VPN-DYNMAP
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map VPN-MAP
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
ip local pool VPN-IP-POOL 192.168.2.7 192.168.2.9
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface ATM0.1 overload
!
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit udp host 193.204.114.233 eq ntp any eq ntp
access-list 100 permit udp host 193.204.114.232 eq ntp any eq ntp
access-list 100 permit udp host 151.99.125.1 eq domain any
access-list 100 permit udp host 151.99.125.3 eq domain any
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 5900
access-list 100 permit udp any eq non500-isakmp any
access-list 111 remark User to Site VPN Clients
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 60 0
privilege level 0
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175168
ntp server 193.204.114.232
ntp server 193.204.114.233
end

[Wizard]

Beh intanto manca il de-nat.
La acl 100 la hai battezzata x gestire il nat, usala solo x quello.
Se vuoi fai poi una acl in uscita con le varie policy.