Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
6
Replies

Easy VPN Software Client unable to access few networks

Ramesh Chauhan
Level 1
Level 1

‎02-20-2013 09:05 PM

I have access to network 10.3.1.0 /24 but I am not able to access 10.3.2.0/24 and other networks behind the Easy VPN server.

I am using a software client to connect to the server.

I have configured split tunnel to the network 10.3.0.0 /16 and it shows up in the route details too. I can ping 10.3.1.0 network but not 10.3.2.0 and so on.

The Easy VPN server is configured on Cisco 861 with VPN module.

Following is the configuration

Sh run | section crypto

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group VPNCLIENTGROUP

key #######

pool vpn1

acl 150

crypto isakmp profile VPNclient

   description VPN clients profile

   match identity group VPNCLIENTGROUP

   client authentication list userlist

   isakmp authorization list groupauthor

   client configuration address respond

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

crypto dynamic-map SDM_CMAP_1 99

set transform-set 3des

set isakmp-profile VPNclient

reverse-route

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

crypto map SDM_CMAP_1

sh run | section aaa

aaa new-model

aaa authentication login local_authen local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network ciscocp_vpn_group_ml_1 local

#sh run | section pool

pool SDM_POOL_1

pool vpn1

ip local pool SDM_POOL_1 10.3.1.240 10.3.1.244

ip local pool vpn1 192.168.3.1 192.168.3.254

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

route-map SDM_RMAP_1 permit 1

match ip address 102

#sh ip access-lists 102

Extended IP access list 102

    10 deny tcp host 192.168.11.100 eq 500 any

    20 deny ip any host 10.3.1.240

    30 deny ip any host 10.3.1.241

    40 deny ip any host 10.3.1.242

    50 deny ip any host 10.3.1.243

    60 deny ip any host 10.3.1.244

    70 deny tcp host 10.3.1.186 eq smtp any

    80 deny tcp host 10.3.1.100 eq 3393 any

    90 deny ip 10.3.0.0 0.0.255.255 192.168.3.0 0.0.0.255 (335 matches)

    100 deny ip 10.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 (129 matches)

    110 permit ip 10.3.0.0 0.0.255.255 any (792 matches)

sh ip access-lists 150 (split tunnel)

Extended IP access list 150

    10 permit ip 10.3.0.0 0.0.255.255 any

    20 permit ip 10.0.0.0 0.255.255.255 any

Kindly let me know if any other information is required from my end.

Labels:
0 Helpful
6 Replies 6

Andrew Phirsov
Level 7
Level 7

‎02-20-2013 10:30 PM

Most probably it's the routing issue. Check if hosts from 10.3.1.0/24, 10.3.2.0/24, etc. have correct route to 192.168.3.0/24 (vpn-pool) through the 861, and that the 861 has correct route to 10.3.1.0/24, 10.3.2.0/24.

0 Helpful

Ramesh Chauhan
Level 1
Level 1
In response to Andrew Phirsov

‎02-20-2013 11:01 PM

From the VPN server 861 I can ping 10.3.1.0/24 and 10.3.2.0/24

Here is the SH ip route output:

S*    0.0.0.0/0 [1/0] via 67.79.57.x

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.3.0.0/16 is directly connected, Vlan1
L        10.3.1.1/32 is directly connected, Vlan1
      67.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        67.79.57.X/29 is directly connected, FastEthernet4
L        67.79.57.X/32 is directly connected, FastEthernet4
      192.168.3.0/32 is subnetted, 1 subnets
S        192.168.3.1 [1/0] via 24.28.87.X
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, Vlan1
L        192.168.11.1/32 is directly connected, Vlan1

From the router i can ping 10.3.2.1 but from VPN client I can't.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Ramesh Chauhan

‎02-20-2013 11:42 PM

Does your nat exception rules (nat 0) include subnets, u're not able to ping?

0 Helpful

Ramesh Chauhan
Level 1
Level 1
In response to Andrew Phirsov

‎02-20-2013 11:49 PM

Yes it's included.

Sent from Cisco Technical Support iPhone App

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Ramesh Chauhan

‎02-20-2013 11:55 PM

If you do a traceroute from pc on 10.3.2.0 to some ip from vpn-pool, does it go throug 861 lan interface?

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to Andrew Phirsov

‎02-21-2013 06:49 AM

Please Check GW for 10.3.2.0/24 Network.  If GW is Router INside LAN IP then its ok and if not then u have to add vpn pool route toward Router LAN Interface.

Jawad
0 Helpful
Customers Also Viewed These Support Documents