Would this still apply knowing that VPN clients are able to communicate with 172.16.1.0 but not its own subnet, 172.16.2.0?

Yes, it will in particularly apply because vpn client is a layer 3 hops away, hence they should not be in the same subnet as your internal network (172.16.2.0/24), and since they are in the same subnet, instead of trying to send the traffic towards the default gateway, it is trying to ARP for it because they think they are in the same subnet, and since vpn client is multiple hops away (L3 instead of L2), ARP resolution will fail, hence the inability to access that internal network.

Thanks so much for your help.

This DHCP Pool (172.16.2.0) is the only pool for this particular network location.  How can I create a second pool as you suggested, and make it only available to the VPN clients?  I do not want to have two pools available to local computer ueers.

Thanks.

Can you please share your "crypto isakmp client configuration", the "pool" command will specify the name of the ip pool created. Then you can check on the pool command itself, and change it accordingly: "sh run | i pool" should provide you with all the pool information.

Sure, here it is:

crypto isakmp client configuration group VPN
key test123
dns 172.16.1.10 172.16.1.11
wins 172.16.1.10
domain domain.local
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group VPN
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set VPN
set isakmp-profile sdm-ike-profile-1
!
!
!
crypto pki trustpoint TP-self-signed-562549302
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-562549302
revocation-check none
rsakeypair TP-self-signed-562549302

And here's the current pool info:

ip dhcp pool sdm-pool1
pool SDM_POOL_1
ip local pool SDM_POOL_1 172.16.2.50 172.16.2.90

This is the only pool in place, and is shared between LAN and VPN clients.  If the pool is the problem, my question is, how do I create a second pool and make sure it's oly used/seen by VPN clients, so as to not conflict with the current LAN pool?

Message was edited by: pccareoncall

The pool is not shared with LAN because the command: "ip local pool SDM_POOL_1 172.16.2.50 172.16.2.90" is specific for vpn client pool, so

it's saved for you to change this.

Otherwise, you can just create a new pool, and assign it to the vpn client configuration.

Example:

Assuming that you would like to change the pool to 172.16.88.0/24 subnet:

ip local pool SDM_POOL_NEW 172.16.88.50 172.16.88.90

crypto isakmp client configuration group VPN

     no pool SDM_POOL_1

     pool SDM_POOL_NEW

and also add the following for the NAT exemption:

ip access-list extended INTERNET_NAT
1 deny ip 172.16.0.0 0.0.255.255 172.16.88.0 0.0.0.255

Hope it helps.

Thanks, I created the pool and assigned it to the VPN group as you recommended.  But when I went into the NAT command to run the "1 deny ip 172.16.0.0 0.0.255.255 172.16.88.0 0.0.0.255" command, I get the error: % Duplicate sequence number.  Do you know what would be causing that?

Use sequence number 2 instead pls as follows:

ip access-list extended INTERNET_NAT
     2 deny ip 172.16.0.0 0.0.255.255 172.16.88.0 0.0.0.255

Ok, that command was accepted, thanks.  However, the symptoms are still the same: As a VPN client, I can only connect to the 172.16.1.0 network, and none of the others.  Do you think I need to save the configs and reload?

Save the config, but you don't have to reload.

Have you performed the "clear ip nat trans *" to clear all the existing translation?

Please try to reconnect to the VPN client again, and share the output of the following from the router:

show cry isa sa

show cry ipsec sa

Also, can you please share what is your router internal interface ip address is, and maybe a topology diagram that has all the subnets will help. Thanks.