cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1060
Views
0
Helpful
5
Replies

Remote Access VPN issue

ahmed.gadi
Beginner
Beginner

Hi All,

        I have Cisco 1800 router configured with remote access vpn. My internal LAN are 192.168.1.X and 192.168.2.X.

Client pool is configured to be 192.168.100.X, I can connect to vpn and get the IP as per client pool, but can not access the internal LAN except when I have an IP addres of range 192.168.1.X or 2.X in my remote laptop.

 

Remote PC IP 192.168.1.X or 2.X- VPN client IP 192.168.100.X---> Internal LAN accessible

Remote PC IP other than 192.168.1.X or 2.X - VPN client IP 192.168.100.X---> Internal LAN inaccessible

 

Please find below vpn config for your reference.

 

aaa new-model
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
username admin secret 5 "PASSWORD"
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
 key "KEY"
 dns X.X.X.X
 domain KK.local
 pool VPN_CLIENT-POOL
 acl 110
 max-users 10
 max-logins 10
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
 reverse-route
!
crypto map EXT_MAP local-address Vlan1
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
interface Vlan1
 description *** LAN ***
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address Y.Y.Y.Y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
ip local pool VPN_CLIENT-POOL 192.168.100.0 192.168.100.255
!
ip nat inside source list NAT interface Vlan1 overload
!
ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip any any
!
access-list 110 permit ip 192.168.100.0 0.0.0.255 host 0.0.0.0

Look forward for any help.

 

Thanks & Regards

Ahmed...

5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi,

What other IP addresses can you not connect to? You've only got a static route for the internal network 192.168.1.0/24 everything else would be routed out of the default gateway.

 

ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2

 

You'd need to define a static route for the other internal networks.

 

HTH

Hello,

I have only one subnet as internal LAN 192.168.1.X, which already has route to reach via 192.168.2.X.