Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
5
Replies

Cisco IOS SSL VPN cannot access LAN

Go to solution
4flowShanghai
Level 1
Level 1

‎03-11-2017 04:40 AM

I have the ISR G2 2921/K9 router, and I setup the SSL VPN on it. the user can connect to it, also user can access internet, but they cannot access the specified LAN through tunnel. Any advice? Thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-11-2017 07:59 AM

  1. Does your network route the VPN-Pool to this router?
  2. Is your Split-Tunnel (if used) configured to include the local LAN?
  3. Any Access-Control in place?
  4. Have you exempted the VPN-traffic from NAT?

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 4flowShanghai

‎03-12-2017 03:11 AM

Well, for NAT it depends ...

If you are using Split-tunnel, then there won't be any traffic flowing from VPN-client to the outside network. In that case you don't need any "ip nat" on the template-interface. But if you need it for any other use, it for sure has to be configured correctly.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎03-11-2017 07:59 AM

  1. Does your network route the VPN-Pool to this router?
  2. Is your Split-Tunnel (if used) configured to include the local LAN?
  3. Any Access-Control in place?
  4. Have you exempted the VPN-traffic from NAT?
0 Helpful

Go to solution
4flowShanghai
Level 1
Level 1
In response to Karsten Iwen

‎03-11-2017 11:29 PM

Hi Karsten,

1. I have a ZBFW, which allow vpn traffic from WAN to LAN;

2. as for the VPN examption, I have one deny from internal LAN networks to VPN networks;

3. I use split tunnel, and the client can browse internet without any problem.

4. I also create a virtual template 1 interface , and then put ip unnumbered [WAN interface].

Any ideas? Thanks inadvance!

0 Helpful

Go to solution
4flowShanghai
Level 1
Level 1
In response to 4flowShanghai

‎03-12-2017 01:36 AM

Thanks. I got it working. I should enable nat and firewall setting on virtual template interface.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 4flowShanghai

‎03-12-2017 03:11 AM

Well, for NAT it depends ...

If you are using Split-tunnel, then there won't be any traffic flowing from VPN-client to the outside network. In that case you don't need any "ip nat" on the template-interface. But if you need it for any other use, it for sure has to be configured correctly.

0 Helpful

Go to solution
4flowShanghai
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2017 03:14 AM

Hi Karsten, Thank you very much for the reply. You are 100% right. I have removed the "ip nat" config on virtual template interface. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents