Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
7
Replies

VPN Established but no access to the internal network resources

CollinsMwesigwaKagombe77292
Level 1
Level 1

‎07-12-2020 04:56 AM

I have a Cisco Router 2921 which i am using to establish a VPN Connection to a remote site. I would like to access the internal network but most especially the server ip 192.168.90.222. I have managed to establish the vpn connection and i have also been able to ping the internal interface 192.168.90.1 but i cannot reach, ping or remote desktop the server and any other resources.

My Current Config looks like this;

crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 101
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GroupVPN
 key lw-sfh
 dns 192.168.90.222
 domain studiofh.net
 pool VPNPOOL
 acl 120
 max-users 5
!
!
crypto ipsec transform-set SetVPN esp-3des esp-md5-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set SetVPN
!
!
crypto dynamic-map DynamicVPN 100
 set transform-set SetVPN
 reverse-route
!
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
!
!
!
!
interface GigabitEthernet0/0
 ip address x.x.x.x x.x.x.x
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map StaticMap
!
interface GigabitEthernet0/1
 ip address 192.168.90.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template2 type tunnel
 ip address 192.168.40.1 255.255.255.0
 tunnel mode ipsec ipv4
!
ip local pool VPNPOOL 192.168.40.20 192.168.40.25
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.20
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.21
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.22
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.23
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.24
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.25
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip 192.168.90.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 120 permit ip any host 192.168.40.20
access-list 120 permit ip any host 192.168.40.21
access-list 120 permit ip any host 192.168.40.22
access-list 120 permit ip any host 192.168.40.23
access-list 120 permit ip any host 192.168.40.24
access-list 120 permit ip any host 192.168.40.25

 

I wonder what is missing in my config. Please help?

 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎07-12-2020 05:16 AM

Hi,

Can the router itself ping the rdp server?

Is the router the default gateway for the rdp server/other resources? If not do they have a route to the VPN Pool Network?

Temporally test without Nat enabled

 

0 Helpful

CollinsMwesigwaKagombe77292
Level 1
Level 1
In response to Rob Ingram

‎07-12-2020 10:31 AM

Thank you Rob for your reply. I really appreciate.

 

The router can ping the rdp server.

The router 192.168.90.1 is the default gateway for the internal network and all the resources.

 

Thank you

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-12-2020 05:31 AM

you have followed the same example as below :

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html

 

couple of question :

 

do you have Firewall enabled on Windows Server?

can you locally RDP to Server?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CollinsMwesigwaKagombe77292
Level 1
Level 1
In response to balaji.bandi

‎07-12-2020 10:35 AM

Hi Bandi,

Yes i used that example as i was configuring the VPN on my Cisco Router.

 

Yes i have a firewall enabled on the Windows Server.

 

And i can rdp to the server locally.

 

But still i can't seem to access it over VPN.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to CollinsMwesigwaKagombe77292

‎07-12-2020 12:26 PM

Yes i have a firewall enabled on the Windows Server.

 

disable and try RDP and let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CollinsMwesigwaKagombe77292
Level 1
Level 1
In response to balaji.bandi

‎07-13-2020 01:33 AM

I have disabled the Firewall but still no access.

 

0 Helpful

CollinsMwesigwaKagombe77292
Level 1
Level 1

‎07-12-2020 01:55 PM

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Generator" content="Microsoft Word 15 (filtered medium)" /><!--<br>/* Font Definitions */<br>@font-face<br> {font-family:"Cambria Math";<br> panose-1:2 4 5 3 5 4 6 3 2 4;}<br>@font-face<br> {font-family:Calibri;<br> panose-1:2 15 5 2 2 2 4 3 2 4;}<br>/* Style Definitions */<br>p.MsoNormal, li.MsoNormal, div.MsoNormal<br> {margin:0in;<br> margin-bottom:.0001pt;<br> font-size:11.0pt;<br> font-family:"Calibri",sans-serif;}<br>a:link, span.MsoHyperlink<br> {mso-style-priority:99;<br> color:blue;<br> text-decoration:underline;}<br>.MsoChpDefault<br> {mso-style-type:export-only;}<br>@page WordSection1<br> {size:8.5in 11.0in;<br> margin:1.0in 1.0in 1.0in 1.0in;}<br>div.WordSection1<br> {page:WordSection1;}<br><br>
0 Helpful
Customers Also Viewed These Support Documents