cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
737
Views
0
Helpful
6
Replies
p.maillot
Beginner

VPN Routing problem

Hello,

I have the following problem.

I have a client connected by vpn client accross Internet to my office.

The client is correctly connected to a router but.

1 - The client can ping all office network but the RDP session not work, the telnet too, and other application why?

The client receive from vpn pool an ip address on the network 192.168.2.x

I have permit

access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Few other thing to do?

2 - When the connection vpn is activate, the client cannot access to Internet, why?

Thank you.

6 REPLIES 6
Jennifer Halim
Cisco Employee

Can you please post a copy of the router current configuration so we can check if there is any configuration error on the router.

Hello Jennifer,

Thank you for your assistance.Find under an extract of my configuration

username alizesclientvpn password 0 xxxxx
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group alizesvpn
key yyyyyyyyyy
dns 41.x.x.x
domain wr
pool vpnpool
acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0
ip address dhcp
ip nat outside
speed auto
crypto map clientmap

ip local pool vpnpool 192.168.2.10 192.168.2.20
ip nat pool POOL-NAT 41.x.x.x 41.x.x.x netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside destination list 100 pool POOL-NAT
ip nat inside destination list 102 pool sip
ip classless
ip route 0.0.0.0 0.0.0.0 41.205.79.1
!
!
!
!
access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!

I try the following thing.

1 - When the client si connected, the client reveive an IP address 192.168.2.x but no gataway, it's normal? The client arrive to ping all IP in inside network 192.168.40.x and in 192.168.1.x

2 -From inside, the network 192.168.40.x or 192.168.1.0 cannot ping the network client in 192.168.2.x

Someone have an idea?

Thank you

Hi,

1 - This is normal. VPN software is directing all traffic to tunnel interface which have 192.168.2.x ip address.

2 - Adding nat-exempt rule may solve that issue. With this rule ASA device will not do any nat translation for inside to VPN client traffic.

Sample Commands :

access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Ufuk Guler

Ufuk, thank you for your assistance.

I add the following command on my router.

ip access-list extended inside_nat0_outbound
permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

but now I have some problem to adjust the nat inside commande from ASA to my config.

I add this line

ip nat inside source list inside_nat0_outbound interface FastEthernet0 overload

But always the same the problem the network 192.168.40.0 or 192.168.1.0 cannot ping the client network 192.168.2.0.

Hi,

   Could you send log lines for ping request from inside to VPN client.

Ufuk Guler.