Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1846
Views
0
Helpful
9
Replies

1811 VPN - can't access subnets

Go to solution
BradMajors
Level 1
Level 1

‎11-30-2010 12:48 PM

Hi,

Still trying to get my VPN config finished but I'm having problems accessing the networks on the other of the VPN.

I can access (ping) devices attached to VLAN 4 192.168.4.0 but I can't access any device on VLAN2 192.168.0.0, VLAN5 192.168.1.0.

I can ping the IP setup for each VLAN ie. 192.168.0.249, 192.168.1.249, 192.168.5.249

From the Cisco 1811 console I can ping devices on the 192.168.0.0, 192.168.1.0 and 192.168.4.0 subnets.

VLAN 3 has nothing connected yet.

Any help much appreciated

Brad

Labels:
76162-1811cfg.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to BradMajors

‎12-02-2010 08:24 AM

That's the problem.

The other routers should have a route back to this router when traffic is intended to 192.168.5.x (VPN pool)

Federico.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-30-2010 02:08 PM

Hi,

To be able to access those subnets from the VPN client, the traffic should be exempt from NAT ( I don't see ACL 101 in the config)... and included in the split-tunneling (ACL 10).

Also, make sure the default gateway for the devices on those VLAN is the correct interface of the router so they can send the traffic back to the router when replying to the VPN clients.

Federico.

0 Helpful

Go to solution
BradMajors
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-30-2010 03:10 PM

Thanks Federico,

I missed the reference to 101 ACL, the route map should be like this

route-map SDM_RMAP permit 1

match ip address 10

How do I exempt the NAT traffic? and why would I be able to see the 192.168.4.0 subnet? It seems to be set up the same as the other subnets?

Thanks for the help

Brad

0 Helpful

Go to solution
BradMajors
Level 1
Level 1
In response to BradMajors

‎12-01-2010 09:12 AM

Any examples on what I have to do to exempt NAT would be most welcome!

Thanks

Brad

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to BradMajors

‎12-01-2010 09:16 AM

Brad,

To reach from the VPN clients the internal subnets, the following configuration exempt that traffic from being NATed.

ip access-list extended 101

  deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny ip 192.168.x.0 0.0.0.255 192.168.5.0 0.0.0.255

  permit ip 192.168.1.0 0.0.0.255 any

  permit ip 192.168.2.0 0.0.0.255 any

  permit ip 192.168.x.0 0.0.0.255 any

Since the above ACL is used for NAT... when you deny the traffic is going to be exempt from NAT.

Then the permit statements to allow internet.

Federico.

0 Helpful

Go to solution
BradMajors
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-01-2010 09:55 AM

Thank you,

I have updated my router config and will try the VPN from home in a few hours, then I'll post the results.

Help is really appreciated!

Brad

Edit:

Now I'm unable to connect the VPN, I'll the post the changes I made tomorrow.

Thanks

Brad

0 Helpful

Go to solution
BradMajors
Level 1
Level 1
In response to BradMajors

‎12-02-2010 04:34 AM

Federico,

Here are the changes I made to my config.

crypto isakmp client configuration group VPN_CLIENT
key mykey
dns a.b.c.d a.b.c.e

pool VPN_POOL
acl 101

ip local pool VPN_POOL 192.168.5.100 192.168.5.119
no ip classless
ip route 0.0.0.0 0.0.0.0 64.26.144.49
ip route 192.168.0.0 255.255.255.0 FastEthernet2
ip route 192.168.1.0 255.255.255.0 FastEthernet5
ip route 192.168.2.0 255.255.255.0 FastEthernet3
ip route 192.168.4.0 255.255.255.0 FastEthernet4

ip nat inside source route-map SDM_RMAP interface FastEthernet0 overload
!
logging trap debugging


access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any

!
!
!
route-map SDM_RMAP permit 1
match ip address 101
!

I can bring the tunnel up but can't ping anything on any of the subnets

Thanks

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to BradMajors

‎12-02-2010 05:49 AM

Those subnets can PING each other?

And they have their default gateway set to the router?

Federico.

0 Helpful

Go to solution
BradMajors
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-02-2010 08:09 AM

The subnets are intended to be isolated from each other.

The default gateways on each subnet point back to a different router. Do I need to add a route that points back to the 1811 on the other routers?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to BradMajors

‎12-02-2010 08:24 AM

That's the problem.

The other routers should have a route back to this router when traffic is intended to 192.168.5.x (VPN pool)

Federico.

0 Helpful
Customers Also Viewed These Support Documents