09-13-2007 08:09 AM - edited 02-21-2020 03:16 PM
I need to setup a VPN Client configuration where the clients receive an IP on the LAN IP address range.
Attached is my config with the pool in its own range.(non-pertinent configuration excluded)
I've modified my pool to place the clients in a range within the LAN ip scheme. I have also modified my 110 ACL to exclude the NAT and my 111 ACL to allow for split-tunneling by the client.
When I connect, I get the proper address but I am unable to ping any devices internally.
Any suggestions as to the configuration or troubleshooting would be appreciated. I have seen documentaiton that it will not work in the form of TAC cases and config guides, but they were specific to ASA and Pix devices. I have not found any configuration guides of IOS routers showing examples of this configuration, but I did see mention in a config guide that said "if you assign addresses from a non-local subnet" which tells me that it is an option to assign local addresses.
09-13-2007 03:34 PM
you can not assign local lan IP addresses to the vpn clients, if you do so, when you try to access some host in your network this accessed host will "think" the source of the traffic is local, since it's under the same network, and will never go to the default gateway, or some gateway to reach the host who first originated the traffic.
If you really need the internal hosts access an internal ip address that is in the VPN you need to configure a different range for your network, other then the internal one, then you have to configure a nat for this client's IP addresses, something like.. ip nat outside sourse...
please rate if helps
09-17-2007 06:54 AM
It's a good idea, but I would appreciate some assistance on the config part.
The only way I can see that working is to terminate the VPN to a loopback and set that as the NAT interface. Ideas on how I can do this? I'm working with a setup that has a 2811 at a head end and 871s at the remote sites in a hub and spoke setup.
It is at each of these sites that I need the is ability. Currently, I'm using a simple IPSec VPN setup with a mixed static and dynamic map.
I'm thinking the way to do this is to move from a simple IPSec to a IPSec over GRE vpn setup, but I have no experience with this. Any suggestions would be greatly appreciated.
09-18-2007 06:44 AM
take a look at the link, for site to site VPN
09-18-2007 07:03 AM
My site-to-site VPN connections are fine, it's the remote access clients that I need to look as though they are on the LAN. Now, this may work if I can set a subset of something like 8 addreses within my LAN range as the "nat pool" for the addresses handed out by my "ip local pool" to the clients.
I'll post back what I figure out.
09-18-2007 07:32 AM
try this
crypto dynamic-map dyn_map 1
reverse-route
ip local pool ippool 10.119.8.192 10.119.8.199
access-list 110 deny ip 10.119.8.0 0.0.0.255 10.119.8.192 0.0.0.7
09-18-2007 07:04 AM
try to add
crypto dynamic-map dyn_map 1
reverse-route
09-18-2007 07:07 AM
Again, my issue is not that I am having routing issues. I can route just fine. My issue is that my VPN Client machiens (the ones running the Cisco VPN Client software) must look as though they are on the LAN. I have to make their addresses be in the same address range as my LAN or NAT the pool that I hand to them to a range within my LAN.
09-18-2007 07:13 AM
Ok, let's go
you should assign a pool that has a diferent range than your internal like
ip pool vpn_pool 10.0.0.1 10.0.0.10
then you must NAT it to make it seems it came from inside to whatever you want to be the destination, then do the following
configure your external interface as "nat outside"
fastethernet 0/0
ip nat outside
Configure your internal interface as "nat inside"
fastethernet 0/1
ip nat inside
configure the NAT
ip nat outside sourse static network 10.0.0.0 192.168.0.0 255.255.255.240
please rate if helps
09-18-2007 07:14 AM
What IOS version do you have?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide