Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
1
Replies

Remote client (using VPN client) Cant access HO LAN. :(

tahayaseen4k
Level 1
Level 1

‎07-16-2011 03:58 PM

Dear All,

I have serious problem to solve ASAP.

following is my configurations.

Easy VPN configured .. working perfectly but cant acess headoffice LAN segments.

VPN router configured with two interfaces .. one has live ip and other is connected to another router . which is configured with LANs.

Internal networks are accessible using VPN router but when on remote user VPN into the network they are unable to access the desired network

I appriciate your prompt repose.

Following are the configurations on router.


vpn con0 is now available

Press RETURN to get started.


User Access Verification

Username: admin
Password:

vpn>
vpn>
vpn>
vpn>en
vpn#
vpn#
vpn#sh run
Building configuration...

Current configuration : 4306 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.124-11.t.bin
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
ip cef
!
!
!
!
ip domain name company.local
ip name-server 178.32.51.4
ip name-server 76.73.18.50
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-971475735
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-971475735
revocation-check none
rsakeypair TP-self-signed-971475735
!
!
crypto pki certificate chain TP-self-signed-971475735
certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39373134 37353733 35301E17 0D313130 37313631 39303632
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 31343735
  37333530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B74E78D3 F96E36B6 A26AF20E 4036E1F6 1D015B71 8E28F359 BB59867C 322B48C1
  CD261834 4D13D45D 14511CD2 D3E3E4D8 64E7161B 5B3E26A5 6B62AED1 30D1A150
  A2FD760D 612DA007 29171CE5 59151B91 ABE0E002 00c00706 DDCB3EF2 EB71D0B6
  93DB0A5E DCD3C8E0 A8D63426 4A807B86 09AD6D76 2AF3E707 15B1CDDF DA4B9CFD
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821276 706E2E63 69707269 616E692E 6C6F6361 6C301F06 03551D23
  04183016 8014B760 3195E444 1B1F6709 37E87985 689D977A 7B12301D 0603551D
  0E041604 14B76031 95E4441B 1F670937 E8798568 9D977A7B 12300D06 092A8648
  86F70D01 01040500 03818100 9057987E F3BD7A8B 4E6FADE5 4AB2C635 DF6DEE44
  46AB2CEE C89870CB A8C5B90D F002A00A 708727FF DEEFF6B5 DEBDE42C F1FDF66C
  1D12B044 A10B30F4 4C1CFDC2 D98168F7 32B79931 013DACD3 DC141A9F 315A1243
  903E59BB BAAD2C7C E22AD4A0 4C71E42E 7E313325 BC478E2F 4FD2FDA0 E97E7903
  7491892D 34BC2CA6 CE58288D
  quit
!
!
username admin privilege 15 password 0 xxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key Win2008
pool SDM_POOL_2
acl 101
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group vpn
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0/0
ip address 94.56.217.6 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.100.100.10 255.255.255.0
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Serial0/2/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip access-group 100 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 192.168.120.10 192.168.120.20
ip local pool SDM_POOL_2 193.0.0.10 193.0.0.20
ip default-gateway 94.56.217.5
ip route 0.0.0.0 0.0.0.0 94.56.217.5
ip route 192.168.0.0 255.255.0.0 172.100.100.2
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.116.0 0.0.0.255 any
access-list 100 permit ip 192.168.117.0 0.0.0.255 any
access-list 100 permit ip 192.168.120.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.116.0 0.0.0.255 any
access-list 101 permit ip 192.168.117.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-16-2011 06:53 PM

Temporarily remove ACL 100 from the Virtual-Template1 interface.

That ACL does not include the necessary line to allow access from vpn client subnet 193.0.0.0/24 (SDM_POOL_2) which is the vpn client pool assigned to your VPN config.

0 Helpful
Customers Also Viewed These Support Documents