Solved: I can't browse the LAN when connecting via VPN client

a.maldonado · ‎09-29-2018

I wonder if someone can help me.

I am trying to setup a firewall as a VPN server. The clients we have are Cisco VPN client. I have managed to connect to the VPN server and get an IP address from the pool but I am unable to browse or ping the internal LAN.

In order to get a connection to the VPN server I had to do two things:

1.- I had to change the public IP address in the nat statement for another one in the pool of public IP addresses given to us by our ISP. So, if int G0/2 has IP address A.B.C.179/28, the ip in the nat statement is A.B.C.178, and so now it looks like this:

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 extendable

2- - The other thing I did, was to untick the Enable Transparent Tunneling box in the Transport tab of the VPN client properties window. Now it just says IPSec, instead of IPSEC/UDP. I am not sure if this is the correct way but it makes a connection with the VPN server and I get an IP address from the pool but still I cannot browse the internal LAN connnected to the firewall.

Can someone please help me or suggest something as I have not move forward form this for a few days now and I have ran out of ideas. I have tried the sysopt connection permit-vpn command but still makes no difference. I also tried Wizard but still cannot browse the LAN from the VPN client.

Please see the a diagram and the router and firewall configs.

Thank you for your time.

Rob Ingram · ‎09-29-2018

What IP address does the client receive?
What IP address(es) are you attempting to connect to on the internal LAN?
I assume the internal LAN is not connected to the router configuration you provided? If not please provide it's configuration.

Please run packet-tracer and post the output

View solution in original post

Rob Ingram · ‎09-29-2018

What IP address does the client receive?
What IP address(es) are you attempting to connect to on the internal LAN?
I assume the internal LAN is not connected to the router configuration you provided? If not please provide it's configuration.

Please run packet-tracer and post the output

a.maldonado · ‎09-30-2018

HI RJI,

The VPN client receives address 192.168.250.1/27 and it sets its gateways
as 192.168.250.2. I don't know why it gets this gateway as I do not setup
any.
THe 192.168.250.0/27 is the ip local pool L1vpnpool in the firewall
configuration provided.

The IP addresses I want to be able to access are the DMZ, which is on the
172.16.10.0/24 and VLAN10, which has 10.0.0.0/24. (see diagram)
The splitTunnel ACL has a number of other addresses (internal and external)
but for now and to make things simplier I only included:
access-list L1_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

The LAN (all VLANs) are connected to the firewall. I split int G0/0 of the
firewall in a number of subinterfaces, this is shown in the firewall
configuration provided.

I am not in the office today but will post the packet trace output tomorrow.

Thank you for your message.

a.maldonado · ‎10-01-2018

Hi RJI,

As requested, please se the packet trace sourced from the Local LAN nameif SRVR which has the 10.0.0.0/24

The first trace is from the firewall interface VLAN10 to the address of the VPN client 192.168.250.1

The second trace is as above but the input address is my laptop with address 10.0.0.15.

As you can see although both traces are sourced from the same subnet, the second trace has more phases than the first. Any idea why?

Also, I was expecting the traffic to be sent out the tunnel not back to the router via Link2HFRTR. Please see attachment.

a.maldonado · ‎10-02-2018

Thank you all who tried to help me to resolve this problem. So, my router facing the ISP must have the following two statements in order to forward the IKEv1 requests for connection to the VPN server, which is behind the router and once the client is authenticated and connected to browse the internal network, which has to be included in the ACL for splitTunnel. ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 extendable ip nat inside source static udp 192.168.254.126 4500 A.B.C.178 4500 extendable I also thank the person who said I should use another public IP address from within the pool allocated to me by the ISp for the VPN remote connections. This way, my IPSecs terminating in A.B.C.179 would not be affected by the port forward statements, which was the first problem I faced.