11-21-2012 10:05 AM - edited 02-21-2020 06:30 PM
Hi there,
I am currently have a Cisco 881 router running EasyVPN server.
I recently created come IPSec rules that allow trafiic to specific IP's for a specific security group:
access-list 105 permit ip host 10.1.0.5 any
access-list 105 permit ip host 10.1.0.15 any
access-list 105 permit ip host 10.1.0.16 any
access-list 105 permit ip host 10.1.0.32 any
This works as expected with our Windows users, however our Mac users (using native VPN Client) can only reach the FIRST ip in the string of access statements. When I was torubleshooting this, I moved .32 as the first statement and I could only reach it and none of the others.
All of the routes look right locally:
netstat -r:
default 192.168.1.1 UGSc 148 0 en0
default utun0 UCSI 1 0 utun0
10.1.0.5/32 10.3.0.133 UGSc 1 11 utun0
10.1.0.15/32 10.3.0.133 UGSc 1 2 utun0
10.1.0.16/32 10.3.0.133 UGSc 0 0 utun0
10.1.0.32/32 10.3.0.133 UGSc 1 0 utun0
10.1.0.50/32 10.3.0.133 UGSc 0 0 utun0
10.1.0.51/32 10.3.0.133 UGSc 0 0 utun0
10.1.0.60/32 10.3.0.133 UGSc 0 0 utun0
10.3.0.133 10.3.0.133 UH 10 0 utun0
10.3.0.255 utun0 UHW3Ii 0 6 utun0 2279
route get 10.1.0.5:
route to: 10.1.0.5
destination: 10.1.0.5
gateway: 10.3.0.133
interface: utun0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1280 0
route get 10.1.0.15:
route to: 10.1.0.15
destination: 10.1.0.15
gateway: 10.3.0.133
interface: utun0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1280 0
ping 10.1.0.5:
PING 10.1.0.5 (10.1.0.5): 56 data bytes
64 bytes from 10.1.0.5: icmp_seq=0 ttl=61 time=66.426 ms
ping 10.1.0.15:
PING 10.1.0.15 (10.1.0.15): 56 data bytes
Request timeout for icmp_seq 0
And yes, host 10.1.0.15 is up.
Any help on this would be greatly appreciated!
Thanks!
11-21-2012 12:18 PM
by using native vpn client on mac users to access the host ip's which is configured access-list on your vpn server, means you're using split tunneling. My suggestion is try to hardcode a static route on the hosts you want to access via mac users using vpn client.maybe it will work. o_0
---
Posted by WebUser Antonio Isip Jr from Cisco Support Community App
11-21-2012 12:56 PM
That might work, however the end users who bounce between the office and remote would have issues if these routes were permanent. And this would be equally troublesome for remote users for arent saavy enough to do these kinds of modifications.
The solution that hopefully exists will be one that will make the native client behave exactly as the Windows clients using Cisco's application.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide