VPN client connect but no access to remote LAN issue

Mohammed Al-odhari · ‎09-06-2015

Hi all,

i have router 1841 with port 0/0 (192.168.0.254) connected directly to local lan (192.168.0.0/24)

fa0/1 (192.168.1.254) of the router is connected to internet modem (192.168.1.1)

modem is configured for natting all ports to 192.168.1.254.

I connect successfully using vpn client 5.0.0.7.410 and i can ping the local port of the router (192.168.0.254) but i cant ping any of the lan devices.

Also when i do ping from inside router using source interface fa0/1 (192.168.1.254) to internal network, ping fails,,, normal ping with source interface (OK)

attached is debug and show commands with route print of my laptop which have the vpn client.

I spend 4 days and i got fed up..

Any solutions please.

Richard Bradfield · ‎09-06-2015

this looks like a classic example of the devices not having a gateway address setup below is a clue!

when i do ping from inside router using source interface fa0/1 (192.168.1.254) to internal network, ping fails,,, normal ping with source interface (OK)

devices on the 192.168.0.0 network should have a gateway address of 192.168.0.254.

HTH

Richard

Mohammed Al-odhari · ‎09-06-2015

Hi chrbradf1,

ofcourse they are already have a gateway 192.168.0.254 which is the local port of the router.

See attached when i do tracert to 192.168.0.254 from the laptop having vpn client, it is ok and when i do tracert to 192.168.0.14 which a local pc, if fails.

any suggestions plz.

Richard Bradfield · ‎09-06-2015

Strange!

can you show me the "print route" output of 192.168.0.14, and the config of the VPN router doesn't have any ACLs on the interfaces does it.

also show the routes on the vpn client( next tab to the statistics) has the VPN client got a route to the 192.168.0.0 subnet.?

I know these are pretty basic questions but got to start somewhere.

regards

Richard.

Mohammed Al-odhari · ‎09-07-2015

hi again,

i have now no access to 192.168.0.14 and i can confirm you that it has a gateway of 192.168.0.254.

no there is no ACL on any interfaces.

yes in the vpn client there is under secured route the network 192.168.0.0/24

waiting for your feedback plz

Richard Bradfield · ‎09-07-2015

Mohammed,

can you share the config of the VPN router? the problem must be with the router.

Mohammed Al-odhari · ‎09-07-2015

here you go,,

sh run
Building configuration...

Current configuration : 2839 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 15:58:06 UTC Mon Jan 2 2006 by admin
! NVRAM config last updated at 15:58:06 UTC Mon Jan 2 2006 by admin
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VPNrouter
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.151-4.M10.bin
boot-end-marker
!
!
enable password 7 060506324F411F090B
!
aaa new-model
!
--More-- !
aaa authentication login acs local
aaa authorization network acs local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
--More-- !
!
!
!
license udi pid CISCO1841 sn FTX0952W014
username cisco privilege 15 password 7 094F471A1A0A4640585851
username admin privilege 15 password 7 1045081B0A18015A5E57
!
redundancy
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group alkaboosexch
key k@boos123
pool mypool
acl 101
save-password
!
crypto isakmp client configuration group cisco
key cisco123
pool mypool
acl 101
save-password
crypto isakmp profile vpnclient
match identity group cisco
client authentication list acs
isakmp authorization list acs
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-3des esp-md5-hmac
--More-- !
crypto ipsec profile vpn
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclient
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
--More-- !
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn
!
ip local pool mypool 192.168.30.1 192.168.30.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 171 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 171 permit ip any any
!
!
!
!
--More-- !
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 011807065404155E731F
transport input all
line vty 5 15
password 7 011807065404155E731F
transport input all
!
scheduler allocate 20000 1000
end

Mohammed Al-odhari · ‎09-07-2015

hi,

i`d like to inform you too that from local user (192.168.0.14) i can ping the router outside interface 192.168.1.254... and Internet modem (192.168.1.1),,

where is the issue?????????