11-08-2010 06:54 PM
I have a VPN client connected to a Cisco 2800 series router as the concentrator. The client successfully connects, but can only communicate with one network on the host side. The VPN client is assigned an IP on the 172.16.2.0 network, and it can only communicate with the 172.16.1.0 host network. It needs to communicate with the other networks, such as 172.16.3.0, 172.16.4.0 and so on. There is no place in the config that I see is only allowing communication to the one network, so I do not see where to add the other networks. Please advise how I can give the VPN client access to all host networks. Thanks.
11-08-2010 07:04 PM
Do you have split tunnel configured? If you do, then you would also need to add those other networks in the split tunnel ACL. If you don't, then it's OK.
Another place would be the NAT exemption, you would need to configure NAT exemption for the other internal networks towards the VPN Client pool.
Feel free to post the ACL for the NAT statement, and I can assist you with the NAT exemption.
11-08-2010 07:32 PM
Thanks, Jennifer.
Yes, we have split tunnel enabled. I looked for that in the configs and do not see it. If you can help me identify the split tunnel section of the configs, and an example of the command I need to add for each network to be allowed there, I'd greatly appreciate it.
11-08-2010 07:44 PM
Please take a look at the "crypto isakmp client configuration" section, and if you have split tunnel configured, there should be an "acl" command line.
Please kindly share the actual ACL configured.
Also please check the "ip nat inside source" configuration line, and share the actual ACL configured for this command.
11-08-2010 07:56 PM
Yes, the ACL referenced in the "crypto isakmp client configuration" is "acl 100". Here are the access-list commands below (the networks in the list are the ones that the VPN clients need access to, but currently cannot access):
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.2.0 0.0.0.255 any
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 100 permit ip 172.16.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 100 permit ip 172.16.6.0 0.0.0.255 any
access-list 100 permit ip 172.16.7.0 0.0.0.255 any
Also, there are some "ip nat inside source" commands for email, etc. but none that reference an ACL.
11-08-2010 08:01 PM
The split tunnel ACL looks correct. I am suspecting that the dynamic NAT is causing the issue.
Can you post the NAT statement (sh run | i ip nat inside source) and the corresponding ACL. Thanks.
11-08-2010 08:09 PM
Here are the "ip nat inside source" commands (I replaced the actual Public IPs with "PUBLIC IP" for security purposes):
ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload
ip nat inside source static tcp 172.16.1.111 "PUBLIC IP" 25 extendable
ip nat inside source static tcp 172.16.1.111 80 "PUBLIC IP" 80 extendable
ip nat inside source static tcp 172.16.1.111 443 "PUBLIC IP" 443 extendable
What ACL would you need that corresponds to this?
11-08-2010 08:12 PM
OK, looks like you are using route-map instead of access-list.
ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload
Which external interface is the VPN Client terminating on, fa0/1 or fa0/3/0?
If it's fa0/1, then please share the output of route-map ABC and its corresponding ACL.
If it's fa0/3/0, then please share the output of route-map INTERNET and its corresponding ACL.
Thanks.
11-08-2010 08:24 PM
The VPN Client terminates on fa0/3/0.
Here is the output you requested:
Router#show route-map INTERNET
route-map INTERNET, permit, sequence 10
Match clauses:
ip address (access-lists): INTERNET_NAT
Set clauses:
interface FastEthernet0/3/0
Policy routing matches: 0 packets, 0 bytes
And here's the corresponding ACL:
ip access-list extended INTERNET_NAT
deny ip 172.16.0.0 0.0.255.255 159.212.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 any
11-08-2010 08:28 PM
Perfect. As advised earlier, your vpn pool is 172.16.2.0/24, right?
You would need to add the following:
ip access-list extended INTERNET_NAT
1 deny ip 172.16.0.0 0.0.255.255 172.16.2.0 0.0.0.255
Then you would need to clear the existing NAT translation: clear ip nat trans *
Hope that helps.
11-08-2010 08:41 PM
Ok, I ran those commands (below) and then disconnected/reconnected to the VPN to test. Unfortunateley, I still cannot ping any network other than 172.16.1.0.
ip access-list extended INTERNET_NAT
1 deny ip 172.16.0.0 0.0.255.255 172.16.2.0 0.0.0.255
clear ip nat trans *
11-08-2010 08:44 PM
You would also need to make sure that in your internal switch/router, you have route for 172.16.2.0/24 network, pointing towards the LAN interface ip address of your router.
11-08-2010 08:54 PM
This is the only internal router. Does there need to be routes added to it for each of the internal network?
11-08-2010 08:56 PM
Can you please share how each of the internal subnets are connected? What is the default gateway of each of the internal subnet?
11-08-2010 09:02 PM
The other subnets are connected via a MPLS network, managed by the provider. All subnets converge to the 172.16.2.0 network and get to the Internet through this router (172.16.2.1).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide