Hi John,

I just tested on my laptop. The VPN client is able to get an ip address of 192.168.230.100, but it cannot ping the 192.168.210.0 or the 192.168.220.0 networks.

On my VPN client, it is getting the following configuration:

Ip address: 192.168.230.100

mask: 255.255.255.0

G/w: 192.168.230.100

DNS: 10.10.10.11 (my internal DNS server)

Thanks

John

Try modifying your nonat acl by adding the 192.168.230.0 subnet:

access-list nonat extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list nonat extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0

John

Hi John,

Still not working, the vpn client is not able to ping or RDP to any server on my 192.168.210.0 or 192.168.220.0 network.

But I am able to ping my vpn client from my 192.168.210.0 network.

John

Hi John,

I have attached my running config.

thanks

John

Is it possibel that I need an ACL allowing my vpn client to access these networks? Just an idea....

I've been swamped with a project, so I haven't been able to respond.

You still need an entry to not nat from the dmz to the vpn subnet:

access-list nonat permit ip 192.168.220.0 255.255.255.0 192.168.230.255.255.255.0

Try that and let me know the results...

Hi John,

no worries, your help is much appreciated no matter what.

I have added these two commands. But I can now get to my 192.168.210.0 server via RDP. But cannot get to my 192.168.220.0 dmz server via RDP. I am able to ping my vpn client from BOTH subnets.

So a little improvement, but still not RDP from VPN to DMZ....

Below are the lines I have added:

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0 192.168.230.0 255.255.255.0

John

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0 192.168.230.0 255.255.255.0

Add:

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

Get rid of:

access-list inside_nat0_outbound extended permit ip any 192.168.210.0 255.255.255.0

Can you ping the server that RDP is running on? If so, try to telnet into the port:

telnet 3389

If you get a black screen and it doesn't hang, you're getting to the RDP port.

Let me know...

Also add:

same-security-traffic permit intra-interface

Hi John,

I cannot ping the dmz server nor RDP to it, I tried telent and that did not work either. ( Just FYI...I am able to RDP to that dmz 192.168.220.10 server from my "inside" 192.168.210.11 server)

Here is my ACL section of my Show Run:

access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0 192.168.230.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.220.0 255.255.255.0

access-list vpn-dmz standard permit 192.168.210.0 255.255.255.0

Here is my NAT section:

global (outside) 1 interface

global (DMZ) 1 interface

nat (DMZ) 1 192.168.220.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.210.0 255.255.255.0

static (DMZ,outside) 173.xxx.xx.70 192.168.220.10 netmask 255.255.255.255

access-group outside_in in interface outside

Here is my ROUTE section:

route outside 0.0.0.0 0.0.0.0 173.xxx.xx 1

route outside 192.168.230.0 255.255.255.0 192.168.210.222 1

I hope the above helps.

John

I have added the command:

same-security-traffic permit intra-interface

Also, just for more info but probably another post for me to make, but I cannot get to the internet on my laptop while connected to the VPN. Just want to give you all the details, not wanting to add to the problem at hand.

John,

The DNS server that you're using is:

10.10.10.11 10.10.10.22 (Where are these addresses in your network?)

You're going to need to set up another nat rule to exclude this subnet from natting when going to the 192.168.210, .220, and .230 subnets.

You should be able to get to the internet once that happens. To see if you can even get to those DNS servers, try to ping them while on the VPN. If you can't, that's the problem (unless these are devices that don't know how to get to the 192.168.230.0/24 subnet).

You need to keep the same-security line in the config if you're wanting to browse the web while on the VPN and force web traffic through your tunnel. Otherwise, if you're wanting to send traffic that only belongs on the tunnel, you can enable split tunneling by specifying an acl in your group policy that references what hosts/subnets to allow over the tunnel.

You still need to get rid of this line:

global (dmz) 1 interface

You don't want anything natting to your DMZ interface....

Hi John,

I really do not need to add the 10.10.10.11 and 10.10.10.12 DNS servers just yet. I put them there not realizing that there are no routes going to that subnet. I have removed them for now. It is something I will work on once I get other things working, for now the vpn clients can use the IP addresses only.

I did remove the global (dmz) 1 interface.

Still no luck to my dmz server from my clients. We can work on the internet issue in another post. I know it adds a whole new issue to the mix....

I have also included an updated show running config...

John

John,

I don't see a reason why this isn't working...

Are you outside of the office using the VPN or on an aircard?

Post the results of the following:

sh vpn-sessiondb detailed remote filter a-ipaddress

Also add:

nat (inside) 1 192.168.230.0 255.255.255.0