Re: Remote Access VPN issue

ahmed.gadi · ‎11-24-2018

Hi All,

I have Cisco 1800 router configured with remote access vpn. My internal LAN are 192.168.1.X and 192.168.2.X.

Client pool is configured to be 192.168.100.X, I can connect to vpn and get the IP as per client pool, but can not access the internal LAN except when I have an IP addres of range 192.168.1.X or 2.X in my remote laptop.

Remote PC IP 192.168.1.X or 2.X- VPN client IP 192.168.100.X---> Internal LAN accessible

Remote PC IP other than 192.168.1.X or 2.X - VPN client IP 192.168.100.X---> Internal LAN inaccessible

Please find below vpn config for your reference.

aaa new-model
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
username admin secret 5 "PASSWORD"
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
key "KEY"
dns X.X.X.X
domain KK.local
pool VPN_CLIENT-POOL
acl 110
max-users 10
max-logins 10
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
reverse-route
!
crypto map EXT_MAP local-address Vlan1
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
interface Vlan1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0 secondary
ip address Y.Y.Y.Y 255.255.255.252
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_CLIENT-POOL 192.168.100.0 192.168.100.255
!
ip nat inside source list NAT interface Vlan1 overload
!
ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip any any
!
access-list 110 permit ip 192.168.100.0 0.0.0.255 host 0.0.0.0

Look forward for any help.

Thanks & Regards

Ahmed...

Rob Ingram · ‎11-25-2018

Hi,

What other IP addresses can you not connect to? You've only got a static route for the internal network 192.168.1.0/24 everything else would be routed out of the default gateway.

ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2

You'd need to define a static route for the other internal networks.

HTH

ahmed.gadi · ‎11-25-2018

Hello,

I have only one subnet as internal LAN 192.168.1.X, which already has route to reach via 192.168.2.X.

Rob Ingram · ‎11-26-2018

In that case, I don't understand the question. Can you re-phrase it?

ahmed.gadi · ‎11-26-2018

The computer from where i am connecting to vpn should have ip address in 192.168.1.X or 192.168.2.X range, I will able to connect vpn and will be able to access internal LAN subnet 192.168.1.X, otherwise I will be able to connect vpn but no access to internal LAN.

Hope it is clear!!!

Marius Gunnerud · ‎11-26-2018

You have some configuration faults

access-list 110 permit ip 192.168.100.0 0.0.0.255 host 0.0.0.0 <-- this should not be host 0.0.0.0, it should be any

Also, you are doing NAT exempt for just 192.168.1.0/24 and 192.168.2.0/24 yet it looks like you are trying to send all traffic through the tunnel. you should have a deny ip any 192.168.100.0 0.0.0.255 instead.

--
Please remember to select a correct answer and rate helpful posts