01-17-2019 02:08 AM
Hello
I configured a L2TP Ipsec VPN and can successfully connect to it.
My problem is the routing from the VPN subnet to the LAN subnet.
Config Quick Overview:
interface GigabitEthernet0 (LAN)
ip address 10.10.64.12 255.255.254.0
interface GigabitEthernet8 (WAN)
ip address 192.168.1.5 255.255.254.0
crypto map CRYP_MAP (For allow VPN dialin)
interface Loopback0 (Interface used for VPN)
ip address 192.168.64.1 255.255.255.0
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool VPNPOOL
ppp mtu adaptive
ppp authentication ms-chap-v2
ip local pool VPNPOOL 192.168.64.10 192.168.64.19
After the VPN connection is established, I get an 192.168.64.1x IP on the VPN Client Computer as desired.
Connections to 192.168.64.1 works fine.
Now I want connect to devices in the LAN Subnet (e.g. to 10.10.64.30) from the VPN Client Computer.
This not work currently, probably because some static routing configs are neccessary.
What is the easiest way to make connections from the VPN Client computer to devices in the LAN Subnet possible?
Kind regards
Michael
Solved! Go to Solution.
01-17-2019 04:56 AM
Michael,
Configure your LAN interface as a NAT outside and your virtual template interface as NAT inside. Then create a NAT binding for your VPN pool using overload. It would look something like this:
config t
interface GigabitEthernet0
ip nat outside
interface virtual-template 1
ip nat inside
ip access-list standard ACL-NAT
permit 192.168.64.0 0.0.0.255
exit
ip nat inside source list ACL-NAT interface gi0 overload
01-17-2019 02:24 AM
Michael,
Firstly I would check your VPN client and make sure it gets a default gateway assigned. Then the devices on the LAN: do they use the same router (VPN endpoint) as a default gateway?
01-17-2019 02:44 AM
Hi
In Windows the "Use default gateway on remote network" option is enabled in the VPN Adapter config, therefore windows routes connections to the VPN if they are not reachable in the local network.
As default gateway I get the IP 0.0.0.0 on the VPN Adapter, this the normal behaviour of the Windows integrated L2TP VPN Client according my reseaches.
My guess is, that it can not work without any ip route or even NAT configs on the Cisco router.
Just looking for the simplest way to config that.
The devices in the LAN not use any router, it is a isolated network with devices just communicating with each other.
There will be no LAN -> WAN connections.
Just connections from the VPN (conntected through the routers WAN interface) to devices in the LAN should be possible.
01-17-2019 02:45 AM
Hello,
it looks like your local pool is in the same address space as your WAN ? Typically, your local pool should be in the same address space as your LAN, 10.10.64.0 255.255.254.0 in your case.
Can you try and change the local pool to e.g.:
ip local pool VPNPOOL 10.10.64.50 10.10.64.65
01-17-2019 02:55 AM
Hi Georg
The VPN pool address space is 192.168.64.10 192.168.64.19
The WAN is 192.168.1.xxx
The LAN is 10.10.64.xxx
I want to use non-overlapping address spaces for all 3 interfaces, LAN, WAN and VPN.
This should be possible, or not?
Kind of routing from VPN's 192.168.64.0 network to the LAN's 10.10.64.0
01-17-2019 03:32 AM
Do your LAN clients have a default gateway set to the LAN interface IP on the router ?
Jon
01-17-2019 04:21 AM
Hi Jon
The devices in the LAN network not have a default gateway configured, because they not communicate with devices outside local network.
It is a completely isolated ethernet network (with own switches) with PBX and IP phones connected.
The Cisco Router should act as a VPN Access to that network so that i can administrate the PBX from my computer connected to the WAN network with a established VPN connection to Cisco Router.
It is not desired to change the TCP/IP settings of the devices in the LAN network.
The Cisco Router is physically connected to this isolated ethernet network with it's LAN interface and it have an IP of the LAN's subnet on that interface.
I can ping devices in the LAN network from the Routers terminal.
Therefore connection router <-> LAN network clearly works.
Also VPN Connection to the Cisco Router from WAN netork works.
Just need to bring this both together, some steps for connection VPN -> LAN Network are necessary.
ip route config? NAT config?
Thanks in advance.
01-17-2019 04:35 AM
Michael,
If your devices on the LAN don't have a default gateway, then no wonder they can't communicate with other networks. The VPN pool is a different network, so you can't have any communication between them if you don't have routing in place. Now if you can't modify the network settings on your PCs in the LAN, then the only solution is to use NAT. Translate VPN pool addresses into LAN interface address at the VPN gateway router and you should get communication. However, it will only work if initiated from VPN into the LAN, not other way round.
01-17-2019 04:41 AM
Hi Sergey
Thanks for clarify, so the way I have to go is NAT.
It is perfectly fine that it will only work if initiated from VPN into the LAN.
Now the main question:
What is the simplest way to configure this VPN->LAN NAT?
01-17-2019 04:56 AM
Michael,
Configure your LAN interface as a NAT outside and your virtual template interface as NAT inside. Then create a NAT binding for your VPN pool using overload. It would look something like this:
config t
interface GigabitEthernet0
ip nat outside
interface virtual-template 1
ip nat inside
ip access-list standard ACL-NAT
permit 192.168.64.0 0.0.0.255
exit
ip nat inside source list ACL-NAT interface gi0 overload
01-17-2019 06:31 AM
Hi Sergey
Super - Now it works how i want.
Connections from the VPN to the devices in LAN are possible now.
Thank you very much! :-)
01-17-2019 06:34 AM
Michael,
You are welcome :)
01-17-2019 05:41 AM
Hello,
since you are using private space addressing on the WAN interface (192.168.1.0) I assume this is some kind of test environment and not a real, live router connected to the Internet ? And if so, what are you testing with, real equipment, or a simulator ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide