cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2097
Views
0
Helpful
8
Replies

Easy VPN Not able to access local network

systemaxit
Level 1
Level 1

Hi Guys,

hope some on can help me, I will give a run down on the config.

I have a edge router which is a 2851 connected to the 2851 is a cisco 3750 switch running inter-vlan routing with four vlans.

I have setup Easy VPN server on the 2851 edge router I am able to connect remotely from a cisco vpn client with out a problem but I cant access the local network on the server side, I have tried everything with no luck.

I has cisco VPN client installed on a windows 7 64-bit system and I also tried it with windows xp 32-bit system and still no luck.

Please i need help as I need to get this running by end of business today.

I will copy and paste the edge router config please if some one get review and see if the config is right.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to change your PAT ACL from standard to extended and deny traffic from being NATed towards the VPN Pool:

access-list 120 deny ip 10.10.10.0 0.0.0.3 10.10.50.0 0.0.0.255

access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 172.16.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 172.1X.20.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 permit ip 10.10.10.0 0.0.0.3 any

access-list 120 permit ip 192.168.XX.0 0.0.0.255 any

access-list 120 permit ip 172.16.XX.0 0.0.0.255 aniy

access-list 120 permit ip 172.1X.20.0 0.0.0.255 any

access-list 120 permit ip 192.168.XX.0 0.0.0.255 any

ip nat inside source list 120 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

clear ip nat trans *

Hope that helps.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to change your PAT ACL from standard to extended and deny traffic from being NATed towards the VPN Pool:

access-list 120 deny ip 10.10.10.0 0.0.0.3 10.10.50.0 0.0.0.255

access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 172.16.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 172.1X.20.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 120 permit ip 10.10.10.0 0.0.0.3 any

access-list 120 permit ip 192.168.XX.0 0.0.0.255 any

access-list 120 permit ip 172.16.XX.0 0.0.0.255 aniy

access-list 120 permit ip 172.1X.20.0 0.0.0.255 any

access-list 120 permit ip 192.168.XX.0 0.0.0.255 any

ip nat inside source list 120 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

clear ip nat trans *

Hope that helps.

Hi Jennifer,

Thanks for the reply, I did what you suggested but still get not access local network,

when the vpn client connects I go into the statistics and then go into show route and it shows nothing in the local routes and in the secured routes in shows 0.0.0.0. 0.0.0.0.

I can even ping the edge router from the vpn client when its connected, I even tried to ping the loopback 0 ip which is 10.10.50.1 and still no go.

can you think of any thing else it could be, I have been on this for 3 days now and still cant get it to work.

thanks,

Can you ping 10.10.10.1 and 10.10.10.2?

Also, the 10.10.10.2 router, what is the default route? is it 10.10.10.1? if not, does it have route for the vpn pool subnet (10.10.50.0/24) towards 10.10.10.1?

HI Jennisfer,

10.10.10.2 is the 3750 switch, when I connect with the vpn client i cant ping 10.10.50.1 or 10.10.10.1 or 10.10.10.2.

it is very strange all connects ok but I cant ping anything, the only ping I can do is the external ip address which is the ip address that I use to connect to the router.

I have been all weeks trying to get it working and had not luck what so ever, I'm just about to give up on it.

when I try to add a route from 10.10.50.0/24 to 10.10.10.1 it give me an error %Invalid next hop address (it's this router).

I should to the very least be able to ping 10.10.10.1 or 10.10.50.1 but I can even ping these two addresss.

also 10.10.50.1 is a loopback address of 10.10.10.1

thanks,

Hi Anuj,

I will get the details and post it soon.

thanks,

anujsharma85
Level 1
Level 1

Can you connect VPN client once and provide output of route print from machine.

Along with this, now run a ping from VPN client any resource available on local LAN behind router and then provide me the output of show crypto ipsec sa taken multiple times from router.

Regards,

Anuj

ivykaixin
Level 1
Level 1

Hi jessica ,

I have check you configtration , I think there are some miss:

crypto isakmp profile vpn-ike-profile-1

   match identity group SYS_VPN

   client authentication list vpn_vpn_xauth_ml_1

   isakmp authorization list vpn_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile VPN_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile VPN-ike-profile-1

1.make sue the ip local pool SDM_POOL_1 10.10.50.5 10.10.50.10 has not been used in your LAN .

2.make sure the LAN switch have the route to the vpn client's subnet 10.10.50.X

3.  make sure your client has connected the vpn server , use show cry ipsec client ez , and show ip route to see if there is a route 10.10.50.X via virtual-template 1

I think the miss is the config about the isakmp-profile .

systemaxit
Level 1
Level 1

Thanks everyone for there help, I finally got it going turns out it wasnt a config problem.

I thought to myself I have tried evey thing possible and nothing worked then I decided to upgrade or downgrade the IOS image and VULLAAA everthing works. OH MY GOD this VPN gave me hell I wish I changed the IOS from the beginning it would have saved me alot of troubles and time.

for anyone that will have this problem in the future the router was running IOS version c2800nm-adventerprisek9-mz.151-3.T3.bin and the easy VPN would not work at all, after upgrading too IOS version c2800nm-adventerprisek9-mz.151-4.M3.bin all worked okay with out any problems.

Once again thank you all for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: