02-20-2013 09:05 PM
I have access to network 10.3.1.0 /24 but I am not able to access 10.3.2.0/24 and other networks behind the Easy VPN server.
I am using a software client to connect to the server.
I have configured split tunnel to the network 10.3.0.0 /16 and it shows up in the route details too. I can ping 10.3.1.0 network but not 10.3.2.0 and so on.
The Easy VPN server is configured on Cisco 861 with VPN module.
Following is the configuration
Sh run | section crypto
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPNCLIENTGROUP
key #######
pool vpn1
acl 150
crypto isakmp profile VPNclient
description VPN clients profile
match identity group VPNCLIENTGROUP
client authentication list userlist
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto dynamic-map SDM_CMAP_1 99
set transform-set 3des
set isakmp-profile VPNclient
reverse-route
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
crypto map SDM_CMAP_1
sh run | section aaa
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
#sh run | section pool
pool SDM_POOL_1
pool vpn1
ip local pool SDM_POOL_1 10.3.1.240 10.3.1.244
ip local pool vpn1 192.168.3.1 192.168.3.254
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
route-map SDM_RMAP_1 permit 1
match ip address 102
#sh ip access-lists 102
Extended IP access list 102
10 deny tcp host 192.168.11.100 eq 500 any
20 deny ip any host 10.3.1.240
30 deny ip any host 10.3.1.241
40 deny ip any host 10.3.1.242
50 deny ip any host 10.3.1.243
60 deny ip any host 10.3.1.244
70 deny tcp host 10.3.1.186 eq smtp any
80 deny tcp host 10.3.1.100 eq 3393 any
90 deny ip 10.3.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (335 matches)
100 deny ip 10.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 (129 matches)
110 permit ip 10.3.0.0 0.0.255.255 any (792 matches)
sh ip access-lists 150 (split tunnel)
Extended IP access list 150
10 permit ip 10.3.0.0 0.0.255.255 any
20 permit ip 10.0.0.0 0.255.255.255 any
Kindly let me know if any other information is required from my end.
02-20-2013 10:30 PM
Most probably it's the routing issue. Check if hosts from 10.3.1.0/24, 10.3.2.0/24, etc. have correct route to 192.168.3.0/24 (vpn-pool) through the 861, and that the 861 has correct route to 10.3.1.0/24, 10.3.2.0/24.
02-20-2013 11:01 PM
From the VPN server 861 I can ping 10.3.1.0/24 and 10.3.2.0/24
Here is the SH ip route output:
S* 0.0.0.0/0 [1/0] via 67.79.57.x
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.3.0.0/16 is directly connected, Vlan1
L 10.3.1.1/32 is directly connected, Vlan1
67.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 67.79.57.X/29 is directly connected, FastEthernet4
L 67.79.57.X/32 is directly connected, FastEthernet4
192.168.3.0/32 is subnetted, 1 subnets
S 192.168.3.1 [1/0] via 24.28.87.X
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, Vlan1
L 192.168.11.1/32 is directly connected, Vlan1
From the router i can ping 10.3.2.1 but from VPN client I can't.
02-20-2013 11:42 PM
Does your nat exception rules (nat 0) include subnets, u're not able to ping?
02-20-2013 11:49 PM
Yes it's included.
Sent from Cisco Technical Support iPhone App
02-20-2013 11:55 PM
If you do a traceroute from pc on 10.3.2.0 to some ip from vpn-pool, does it go throug 861 lan interface?
02-21-2013 06:49 AM
Please Check GW for 10.3.2.0/24 Network. If GW is Router INside LAN IP then its ok and if not then u have to add vpn pool route toward Router LAN Interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide