Solved: Re: VPN work but i can't access to switch

kubajzs197 · ‎01-15-2012

Hi everybody i have ipsec vpn to my cisco router to my work. When i connect via VPN from home everything work fine i can access to internet. I get ip address 10.0.0.x in the same subnet i have switch with ip address 10.0.0.200. Switch is possible configure via http. When i put the ip address of the switch to my browser i can not accessto seotch from home with VPN. When i am i work a i can access without problem. Thanks for your reply

Sent from Cisco Technical Support iPhone App

andrew.prince · ‎01-16-2012

You need to use another IP Subnet for the Remote VPN pool, say 192.168.11.0/24 If you do that you will also need to amend you outside nat to deny 192.168.10.0 to 192.168.11.0 as you do not want to NAT the lan to the RVPN traffic.

View solution in original post

danielciscoswart · ‎01-16-2012

+1

VPN's dont drop you into the same network and subnetwork. They route you into the network over a IPsec tunnel. Thus your ip address should not be the same as your office network.

View solution in original post

danielciscoswart · ‎01-16-2012

yes as the routers will route between 10.0.0.0/24 and 192.168.10.0/24.

View solution in original post

andrew.prince · ‎01-16-2012

You do not need a static route, if all devices on the LAN have a default gateway of the router then that is OK. You will need to change your nat config

Current:-

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

!

Change to

ip nat inside source list 150 interface Dialer0 overload

!

access-list 150 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

!

View solution in original post

danielciscoswart · ‎01-16-2012

Andrew is correct.

No static route needed if its "directly connected networks"

View solution in original post

andrew.prince · ‎01-16-2012

Is your switch configured with an IP default Gateway?

HTH>

kubajzs197 · ‎01-16-2012

Yes i have configured default gw on the switch. 10.0.0.1

Sent from Cisco Technical Support iPhone App

andrew.prince · ‎01-16-2012

Can you post your config for review please?

kubajzs197 · ‎01-16-2012

config of router or switch?

Sent from Cisco Technical Support iPhone App

andrew.prince · ‎01-16-2012

Router please

kubajzs197 · ‎01-16-2012

aaa new-model

!

aaa authentication login auth1 local

aaa authorization network auth2 local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip dhcp excluded-address 192.168.10.200 192.168.10.254

!

ip dhcp pool PODNIK

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

domain-name golfkravare.cz

dns-server 194.228.41.65 194.228.41.113

!

ip dhcp pool HOST

network 192.168.0.0 255.255.254.0

domain-name golfkravare.cz

default-router 192.168.0.1

dns-server 194.228.41.65 194.228.41.113

!

ip cef

no ip domain lookup

ip domain name golfkravare.cz

!

no ipv6 cef

multilink bundle-name authenticated

!

username martinik password 0 jM!ZgckR1996!dM

username service secret 5 $1$/Fvd$K34EfIc2.mxcfbh1cOYpp/

username vpn password 0 vpn

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

!

crypto isakmp client configuration group vpn

key vpn123

dns 194.228.41.65 194.228.41.113

pool VPNPOOL

acl 101

include-local-lan

netmask 255.255.255.0

!

crypto ipsec transform-set trs esp-3des esp-sha-hmac

!

crypto dynamic-map mydynmap 10

set transform-set trs

reverse-route

!

crypto map mymap client authentication list auth1

crypto map mymap isakmp authorization list auth2

crypto map mymap client configuration address respond

crypto map mymap 65535 ipsec-isakmp dynamic mydynmap

!

archive

log config

hidekeys

!

ip ssh version 2

!

class-map match-all HOST

match access-group 10

!

policy-map OMEZENI

class HOST

police cir 2000000

!

interface ATM0

description ADSL

mtu 1452

no ip address

ip tcp adjust-mss 1452

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description INTERNET

mtu 1452

ip tcp adjust-mss 1452

pvc 8/48

pppoe-client dial-pool-number 1

!

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

switchport access vlan 3

!

interface FastEthernet3

switchport access vlan 3

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 192.168.10.1 255.255.255.0

ip mtu 1452

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan3

ip address 192.168.0.1 255.255.254.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

mtu 1452

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1400

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname O2

ppp chap password 0 O2

crypto map mymap

!

ip local pool VPNPOOL 192.168.10.190 192.168.10.199

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 10 permit 192.168.0.0 0.0.1.255

access-list 100 permit ip 192.168.0.0 0.0.1.255 any

access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

!

control-plane

!

line con 0

logging synchronous

no modem enable

line aux 0

line vty 0 1

transport input ssh

line vty 2 4

!

scheduler max-task-time 5000

end

andrew.prince · ‎01-16-2012

You need to use another IP Subnet for the Remote VPN pool, say 192.168.11.0/24 If you do that you will also need to amend you outside nat to deny 192.168.10.0 to 192.168.11.0 as you do not want to NAT the lan to the RVPN traffic.

danielciscoswart · ‎01-16-2012

+1

VPN's dont drop you into the same network and subnetwork. They route you into the network over a IPsec tunnel. Thus your ip address should not be the same as your office network.

kubajzs197 · ‎01-16-2012

ok i will try but it is possible access to FTP server in 192.168.10.x subnet? When I will be for example in VPN ip adresses 10.0.0.x ?

danielciscoswart · ‎01-16-2012

yes as the routers will route between 10.0.0.0/24 and 192.168.10.0/24.

kubajzs197 · ‎01-16-2012

Ok if I understand I am novice in using cisco

1) change the VPNPOOL to 10.0.0.1 10.0.0.50 or something more?

2) static route between 192.168.10.0/24 and 10.0.0.0/24

Thanks for your reply

andrew.prince · ‎01-16-2012

You do not need a static route, if all devices on the LAN have a default gateway of the router then that is OK. You will need to change your nat config

Current:-

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

!

Change to

ip nat inside source list 150 interface Dialer0 overload

!

access-list 150 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

!

fredeinfra · ‎10-05-2017

Thanks! I was a long time with this problem!!

danielciscoswart · ‎01-16-2012

Andrew is correct.

No static route needed if its "directly connected networks"