Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN issue


Hi All,

        I have Cisco 1800 router configured with remote access vpn. My internal LAN are 192.168.1.X and 192.168.2.X.

Client pool is configured to be 192.168.100.X, I can connect to vpn and get the IP as per client pool, but can not access the internal LAN except when I have an IP addres of range 192.168.1.X or 2.X in my remote laptop.


Remote PC IP 192.168.1.X or 2.X- VPN client IP 192.168.100.X---> Internal LAN accessible

Remote PC IP other than 192.168.1.X or 2.X - VPN client IP 192.168.100.X---> Internal LAN inaccessible


Please find below vpn config for your reference.


aaa new-model
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
username admin secret 5 "PASSWORD"
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp client configuration group VPN_CLIENTS
 key "KEY"
 dns X.X.X.X
 domain KK.local
 acl 110
 max-users 10
 max-logins 10
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
crypto map EXT_MAP local-address Vlan1
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
interface Vlan1
 description *** LAN ***
 ip address secondary
 ip address Y.Y.Y.Y
 ip nat inside
 ip virtual-reassembly in
ip local pool VPN_CLIENT-POOL
ip nat inside source list NAT interface Vlan1 overload
ip route "ISP NEXT HOP"
ip route
ip access-list extended NAT
 deny   ip
 deny   ip
 permit ip any any
access-list 110 permit ip host

Look forward for any help.


Thanks & Regards


5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert


What other IP addresses can you not connect to? You've only got a static route for the internal network everything else would be routed out of the default gateway.


ip route "ISP NEXT HOP"
ip route


You'd need to define a static route for the other internal networks.




I have only one subnet as internal LAN 192.168.1.X, which already has route to reach via 192.168.2.X.


In that case, I don't understand the question. Can you re-phrase it?

The computer from where i am connecting to vpn should have ip address in 192.168.1.X or 192.168.2.X range, I will able to connect vpn and will be able to access internal LAN subnet 192.168.1.X, otherwise I will be able to connect vpn but no access to internal LAN.

Hope it is clear!!!

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

You have some configuration faults


access-list 110 permit ip host <-- this should not be host, it should be any


Also, you are doing NAT exempt for just and yet it looks like you are trying to send all traffic through the tunnel. you should have a deny ip any instead.

Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers