Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN issue


Hi All,

        I have Cisco 1800 router configured with remote access vpn. My internal LAN are 192.168.1.X and 192.168.2.X.

Client pool is configured to be 192.168.100.X, I can connect to vpn and get the IP as per client pool, but can not access the internal LAN except when I have an IP addres of range 192.168.1.X or 2.X in my remote laptop.


Remote PC IP 192.168.1.X or 2.X- VPN client IP 192.168.100.X---> Internal LAN accessible

Remote PC IP other than 192.168.1.X or 2.X - VPN client IP 192.168.100.X---> Internal LAN inaccessible


Please find below vpn config for your reference.


aaa new-model
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
username admin secret 5 "PASSWORD"
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp client configuration group VPN_CLIENTS
 key "KEY"
 dns X.X.X.X
 domain KK.local
 acl 110
 max-users 10
 max-logins 10
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
crypto map EXT_MAP local-address Vlan1
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
interface Vlan1
 description *** LAN ***
 ip address secondary
 ip address Y.Y.Y.Y
 ip nat inside
 ip virtual-reassembly in
ip local pool VPN_CLIENT-POOL
ip nat inside source list NAT interface Vlan1 overload
ip route "ISP NEXT HOP"
ip route
ip access-list extended NAT
 deny   ip
 deny   ip
 permit ip any any
access-list 110 permit ip host

Look forward for any help.


Thanks & Regards


5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert


What other IP addresses can you not connect to? You've only got a static route for the internal network everything else would be routed out of the default gateway.


ip route "ISP NEXT HOP"
ip route


You'd need to define a static route for the other internal networks.




I have only one subnet as internal LAN 192.168.1.X, which already has route to reach via 192.168.2.X.


In that case, I don't understand the question. Can you re-phrase it?