Re: vpn clients can't access intranet

m.egan · ‎02-02-2005

I have an IOS vpn server with nat for client internet access. VPN clients can connect,ping hosts, get e-mail but can't access intranet pages or ftp. I wan't the vpn clients to act like there on the local subnet. Can post config if needed.

ehirsel · ‎02-02-2005

Please do post the eniire config here, scrubbing sensitive info such as passwords. I am looking to see how nat is setup, and what dns domain name and wins servers that are issued to the clients.

You mentioned ping, is that by hostname or ip address?

What version of the vpn client is installed on the client workstations? One item to check, if you are using the ms win os client, is the MTU size setting on the virtual adapter. If it is set to 1500, and the clients connect via PPPoE, then path mtu discovery may not work properly, and ftp control sessions will work, but the data sessions will not. If you are unsure, have a user run the set mtu utility (they may need admin privleges to do so) and explicitly set the virtual adapter mtu to 1300.

Let me know what you find.

m.egan · ‎02-03-2005

I can ping the web server via hostname so I know I'm getting name resolution. The vpn client is version the Cisco client 4.x, and the mtu on the clients 1492 or less because I had different problem and lowering the mtu resolved it. Take a look at the config, the vpn config was done using SDM v2.0.

ehirsel · ‎02-03-2005

Is there a reason for this line in the config:

ip route 192.168.19.0 255.255.255.0 FastEthernet1/0

The crypto map terminates on the Dialer 1 interface. I also would like you to validate that the pings that you state work, actually flow thru the vpn tunnel.

Can you run an etherreal or a SNIFFER trace on the pings to see if they actually flow thru the tunnel. Do this after removing the ip route statement to 192.168.19.0/24.

Let me know what you find.

ehirsel · ‎02-03-2005

Ignore my 1st post on 02/03. I overlooked the reverse-route injection which should get the correct pathing to take place. Also ignore my comments about the pings.

I would like you to try this:

Once a vpn connection is established run this command:

telnet 192.168.2.8 80

If all goes well, then the screen should go blank and no messages will appear. Let me know how this works out. If it fails, look for any log messages on the gateway or the syslog server to see if you can find a clue.

m.egan · ‎02-03-2005

No luck trying to telnet. And no log entries. Although I'm not logging acl matches. I can't even telnet to the local router interface 198.168.2.5. I can ping the interface and even ping via hostname. The vpn client log does show a ping "sent on the Public IPSec SA".

ehirsel · ‎02-03-2005

In looking at the config, I assume that the ipsec vpn connections flow over a router-to-rotuer GRE tunnel. Is that correct?

On the telnet attempt did you use 80 as the dest. port? The default port of 23 may not be allowed, if you have an acl applied to the vty lines.

reswaran · ‎02-03-2005

Hi Egan,

To start with, can you please remove the static NAT configuration temporarily and try accessing the webservers through your VPN clients.

Please let me know if you are successful.

Regards,

Ravikumar

m.egan · ‎02-04-2005

Hey,

All of them or just the static transalation for port 80?

m.egan · ‎02-04-2005

That's it. I removed the translation for port 80 and that corrected the situation. I thought that the vpn traffic was being protected from nat? Still though I'm going to need that translation, any ideas on getting them to co-exist?