Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
0
Helpful
6
Replies

Unable to access LAN from VPN Client

Go to solution
clark-computers
Level 1
Level 1

‎10-28-2009 03:52 AM

I have configured an 877 for VPN Client access. The Client authenticates and connects and gets an IP address off the IP pool. However, it cannot access anything on the IP network.

I've included my router's config. The VPN Client is v5.0.05.0290.

Any ideas as to what I am missing?

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vincent.monnier
Level 1
Level 1

‎10-29-2009 03:29 AM

Can you try to revers our Client-VPN ACL, I think it's writen in the wrong way

For exemple :

ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip any 192.168.201.0 0.0.0.255

or more accurate

ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip 192.168.1..0 255.255.255.0 192.168.201.0 0.0.0.255

View solution in original post

0 Helpful
6 Replies 6

Go to solution
vincent.monnier
Level 1
Level 1

‎10-28-2009 04:55 AM

Hello,

I thinks it's a firewall (ACL) issue.

Once the IPSec packets have been decrypted, they are passing through the ACL configure on the External interface.

You should add a "permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255" at the begin of the ACL [ext-ACL-IN] protecting the WAN interface .

0 Helpful

Go to solution
slmansfield
Level 4
Level 4
In response to vincent.monnier

‎10-28-2009 06:23 AM

I'm wondering if ext-ACL-IN should also allow esp traffic.

0 Helpful

Go to solution
clark-computers
Level 1
Level 1
In response to slmansfield

‎10-28-2009 07:28 AM

I have put in a statement permit esp in. Here is the output of show ip access-list ext-ACL-IN:

Extended IP access list ext-ACL-IN

5 permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255

10 deny tcp any any log fragments

20 deny udp any any log fragments

30 deny icmp any any log fragments

40 deny ip any any log fragments

50 deny ip any any option any-options

60 deny ip any any ttl lt 3

70 deny ip host 0.0.0.0 any

80 deny ip 127.0.0.0 0.255.255.255 any

90 deny ip 192.0.2.0 0.0.0.255 any

100 deny ip 224.0.0.0 31.255.255.255 any

110 deny ip 10.0.0.0 0.255.255.255 any

120 deny ip 172.16.0.0 0.15.255.255 any

130 deny ip 192.168.0.0 0.0.255.255 any

140 permit udp any eq domain any (3330 matches)

150 permit udp any eq ntp any (1700 matches)

160 permit udp any any eq isakmp (774 matches)

170 permit udp any any eq non500-isakmp (347 matches)

180 permit esp any any

190 permit icmp any any time-exceeded

200 permit icmp any any unreachable (159 matches)

210 permit icmp any any echo-reply

220 permit tcp any any established (87522 matches)

230 deny ip any any (1471 matches)

Also, attached is an output of the VPN client's route table: before and then after a connection is established.

Preview file
3 KB
0 Helpful

Go to solution
slmansfield
Level 4
Level 4
In response to clark-computers

‎10-28-2009 09:09 AM

Can you verify that the devices on your internal network have a route to the address pool used by the VPN client?

0 Helpful

Go to solution
clark-computers
Level 1
Level 1
In response to slmansfield

‎10-29-2009 02:47 AM

I can confirm that this is the case. In fact, the router with the VPN Client config is the LAN default gateway as well.

0 Helpful

Go to solution
vincent.monnier
Level 1
Level 1

‎10-29-2009 03:29 AM

Can you try to revers our Client-VPN ACL, I think it's writen in the wrong way

For exemple :

ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip any 192.168.201.0 0.0.0.255

or more accurate

ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip 192.168.1..0 255.255.255.0 192.168.201.0 0.0.0.255

0 Helpful
Customers Also Viewed These Support Documents