cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1061
Views
0
Helpful
5
Replies

Remote Access VPN issue

ahmed.gadi
Beginner
Beginner

Hi All,

        I have Cisco 1800 router configured with remote access vpn. My internal LAN are 192.168.1.X and 192.168.2.X.

Client pool is configured to be 192.168.100.X, I can connect to vpn and get the IP as per client pool, but can not access the internal LAN except when I have an IP addres of range 192.168.1.X or 2.X in my remote laptop.

 

Remote PC IP 192.168.1.X or 2.X- VPN client IP 192.168.100.X---> Internal LAN accessible

Remote PC IP other than 192.168.1.X or 2.X - VPN client IP 192.168.100.X---> Internal LAN inaccessible

 

Please find below vpn config for your reference.

 

aaa new-model
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
username admin secret 5 "PASSWORD"
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
 key "KEY"
 dns X.X.X.X
 domain KK.local
 pool VPN_CLIENT-POOL
 acl 110
 max-users 10
 max-logins 10
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
 reverse-route
!
crypto map EXT_MAP local-address Vlan1
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
interface Vlan1
 description *** LAN ***
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address Y.Y.Y.Y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
ip local pool VPN_CLIENT-POOL 192.168.100.0 192.168.100.255
!
ip nat inside source list NAT interface Vlan1 overload
!
ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip any any
!
access-list 110 permit ip 192.168.100.0 0.0.0.255 host 0.0.0.0

Look forward for any help.

 

Thanks & Regards

Ahmed...

5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi,

What other IP addresses can you not connect to? You've only got a static route for the internal network 192.168.1.0/24 everything else would be routed out of the default gateway.

 

ip route 0.0.0.0 0.0.0.0 "ISP NEXT HOP"
ip route 192.168.1.0 255.255.255.0 192.168.2.2

 

You'd need to define a static route for the other internal networks.

 

HTH

Hello,

I have only one subnet as internal LAN 192.168.1.X, which already has route to reach via 192.168.2.X.

 

In that case, I don't understand the question. Can you re-phrase it?

The computer from where i am connecting to vpn should have ip address in 192.168.1.X or 192.168.2.X range, I will able to connect vpn and will be able to access internal LAN subnet 192.168.1.X, otherwise I will be able to connect vpn but no access to internal LAN.

Hope it is clear!!!

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

You have some configuration faults

 

access-list 110 permit ip 192.168.100.0 0.0.0.255 host 0.0.0.0 <-- this should not be host 0.0.0.0, it should be any

 

Also, you are doing NAT exempt for just 192.168.1.0/24 and 192.168.2.0/24 yet it looks like you are trying to send all traffic through the tunnel. you should have a deny ip any 192.168.100.0 0.0.0.255 instead.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: