cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2918
Views
70
Helpful
26
Replies

Cannot connect to all host networks on VPN client

pccareoncall
Level 1
Level 1

I have a VPN client connected to a Cisco 2800 series router as the concentrator.  The client successfully connects, but can only communicate with one network on the host side.  The VPN client is assigned an IP on the 172.16.2.0 network, and it can only communicate with the 172.16.1.0 host network.  It needs to communicate with the other networks, such as 172.16.3.0, 172.16.4.0 and so on.  There is no place in the config that I see is only allowing communication to the one network, so I do not see where to add the other networks.  Please advise how I can give the VPN client access to all host networks.  Thanks.

26 Replies 26

Jennifer Halim
Cisco Employee
Cisco Employee

Do you have split tunnel configured? If you do, then you would also need to add those other networks in the split tunnel ACL. If you don't, then it's OK.

Another place would be the NAT exemption, you would need to configure NAT exemption for the other internal networks towards the VPN Client pool.

Feel free to post the ACL for the NAT statement, and I can assist you with the NAT exemption.

Thanks, Jennifer.

Yes, we have split tunnel enabled.  I looked for that in the configs and do not see it.  If you can help me identify the split tunnel section of the configs, and an example of the command I need to add for each network to be allowed there, I'd greatly appreciate it.

Please take a look at the "crypto isakmp client configuration" section, and if you have split tunnel configured, there should be an "acl" command line.

Please kindly share the actual ACL configured.

Also please check the "ip nat inside source" configuration line, and share the actual ACL configured for this command.

Yes, the ACL referenced in the "crypto isakmp client configuration" is "acl 100".  Here are the access-list commands below (the networks in the list are the ones that the VPN clients need access to, but currently cannot access):

access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.2.0 0.0.0.255 any
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 100 permit ip 172.16.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 100 permit ip 172.16.6.0 0.0.0.255 any
access-list 100 permit ip 172.16.7.0 0.0.0.255 any

Also, there are some "ip nat inside source" commands for email, etc. but none that reference an ACL.

The split tunnel ACL looks correct. I am suspecting that the dynamic NAT is causing the issue.

Can you post the NAT statement (sh run | i ip nat inside source) and the corresponding ACL. Thanks.

Here are the "ip nat inside source" commands (I replaced the actual Public IPs with "PUBLIC IP" for security purposes):

ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload
ip nat inside source static tcp 172.16.1.111 "PUBLIC IP" 25 extendable
ip nat inside source static tcp 172.16.1.111 80 "PUBLIC IP" 80 extendable
ip nat inside source static tcp 172.16.1.111 443 "PUBLIC IP" 443 extendable

What ACL would you need that corresponds to this?

OK, looks like you are using route-map instead of access-list.

ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload

Which external interface is the VPN Client terminating on, fa0/1 or fa0/3/0?

If it's fa0/1, then please share the output of route-map ABC and its corresponding ACL.

If it's fa0/3/0, then please share the output of route-map INTERNET and its corresponding ACL.

Thanks.

The VPN Client terminates on fa0/3/0.

Here is the output you requested:

Router#show route-map INTERNET
route-map INTERNET, permit, sequence 10
  Match clauses:
    ip address (access-lists): INTERNET_NAT
  Set clauses:
    interface FastEthernet0/3/0
  Policy routing matches: 0 packets, 0 bytes

And here's the corresponding ACL:

ip access-list extended INTERNET_NAT
deny   ip 172.16.0.0 0.0.255.255 159.212.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 any

Perfect. As advised earlier, your vpn pool is 172.16.2.0/24, right?

You would need to add the following:

ip access-list extended INTERNET_NAT

     1 deny ip 172.16.0.0 0.0.255.255 172.16.2.0 0.0.0.255

Then you would need to clear the existing NAT translation: clear ip nat trans *

Hope that helps.

Ok, I ran those commands (below) and then disconnected/reconnected to the VPN to test.  Unfortunateley, I still cannot ping any network other than 172.16.1.0.

ip access-list extended INTERNET_NAT
1 deny ip 172.16.0.0 0.0.255.255 172.16.2.0 0.0.0.255

clear ip nat trans *

You would also need to make sure that in your internal switch/router, you have route for 172.16.2.0/24 network, pointing towards the LAN interface ip address of your router.

This is the only internal router.  Does there need to be routes added to it for each of the internal network?

Can you please share how each of the internal subnets are connected? What is the default gateway of each of the internal subnet?

The other subnets are connected via a MPLS network, managed by the provider.  All subnets converge to the 172.16.2.0 network and get to the Internet through this router (172.16.2.1).