cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
956
Views
0
Helpful
5
Replies

Cisco IOS SSL VPN cannot access LAN

4flowShanghai
Level 1
Level 1

I have the ISR G2 2921/K9 router, and I setup the SSL VPN on it. the user can connect to it, also user can access internet, but they cannot access the specified LAN through tunnel. Any advice? Thanks in advance!

2 Accepted Solutions

Accepted Solutions

  1. Does your network route the VPN-Pool to this router?
  2. Is your Split-Tunnel (if used) configured to include the local LAN?
  3. Any Access-Control in place?
  4. Have you exempted the VPN-traffic from NAT?

View solution in original post

Well, for NAT it depends ...

If you are using Split-tunnel, then there won't be any traffic flowing from VPN-client to the outside network. In that case you don't need any "ip nat" on the template-interface. But if you need it for any other use, it for sure has to be configured correctly.

View solution in original post

5 Replies 5

  1. Does your network route the VPN-Pool to this router?
  2. Is your Split-Tunnel (if used) configured to include the local LAN?
  3. Any Access-Control in place?
  4. Have you exempted the VPN-traffic from NAT?

Hi Karsten,

1. I have a ZBFW, which allow vpn traffic from WAN to LAN;

2. as for the VPN examption, I have one deny from internal LAN networks to VPN networks;

3. I use split tunnel, and the client can browse internet without any problem.

4. I also create a virtual template 1 interface , and then put ip unnumbered [WAN interface].

Any ideas? Thanks inadvance!

Thanks. I got it working. I should enable nat and firewall setting on virtual template interface.

Well, for NAT it depends ...

If you are using Split-tunnel, then there won't be any traffic flowing from VPN-client to the outside network. In that case you don't need any "ip nat" on the template-interface. But if you need it for any other use, it for sure has to be configured correctly.

Hi Karsten, Thank you very much for the reply. You are 100% right. I have removed the "ip nat" config on virtual template interface. :)