Solved: vpn works but cannot access local LAN...

matt_heff · ‎03-25-2007

I have cisco vpn client connecting to a 1721 at the office. the client connects and i can access the office LAN but but not the local LAN. i do have the box checked in vpn client to allow local LAN access. please help!

thanks!

Matt

here's the config:

Current configuration : 3901 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cerberus

!

boot system flash c1700-k9o3sy7-mz.122-11.T10.bin

aaa new-model

!

aaa group server radius RADIUS-SERVERS

server 192.168.69.1 auth-port 1645 acct-port 1646

!

aaa authentication login LOGIN group RADIUS-SERVERS local

aaa authorization network NETGROUPAUTH local

aaa session-id common

!

username mattheff password xxx

username mikeheff password xxx

clock timezone CST -6

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

!

ip domain name heffnet.net

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip dhcp excluded-address 192.168.69.1 192.168.69.99

ip dhcp excluded-address 192.168.69.111 192.168.69.254

!

ip dhcp pool HEFFNET_LAN_POOL_1

network 192.168.69.0 255.255.255.0

default-router 192.168.69.254

dns-server 68.x.x.1 68.94.157.1

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNGROUP

key 8mathef8

dns 68.x.x.1 68.94.157.1

domain heffnet.net

pool VPN_CLIENT_POOL

acl 102

!

crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set VPNSET1

!

crypto map VPNCLIENTMAP client authentication list LOGIN

crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH

crypto map VPNCLIENTMAP client configuration address respond

crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

!

interface Loopback0

ip address 1.1.x.x.255.255.252

!

interface ATM0

description Heffnet WAN/SBC DSL Interface

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 69

!

dsl operating-mode auto

no fair-queue

!

interface FastEthernet0

description Heffnet LAN Interface

ip address 192.168.69.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

ip policy route-map VPN_ROUTE_MAP

speed auto

!

interface Dialer69

mtu 1492

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 69

ppp chap hostname cerberus

ppp chap password xxx

ppp pap sent-username xxx@sbcglobal.net password xxx

crypto map VPNCLIENTMAP

!

ip local pool VPN_CLIENT_POOL 192.168.70.200 192.168.70.253

ip nat inside source list INTERNAL interface Dialer69 overload

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer69

no ip http server

!

ip access-list extended INTERNAL

deny ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

permit ip 192.168.69.0 0.0.0.255 any

!

logging 192.168.69.1

access-list 101 permit ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

access-list 102 permit ip 192.168.69.0 0.0.0.255 any

!

route-map VPN_ROUTE_MAP permit 10

match ip address 101

set ip next-hop 1.1.1.2

!

alias exec s show ip interface brief

alias exec sr show running-config

!

line con 0

privilege level 15

logging synchronous

line aux 0

privilege level 15

logging synchronous

line vty 0 4

privilege level 15

logging synchronous

line vty 5 15

privilege level 15

logging synchronous

!

scheduler allocate 4000 1000

end

Kamal Malhotra · ‎03-26-2007

Hi Matt,

The config looks good. Please make sure that you get a route for 192.168.69.0 255.255.255.0 network only after connecting with the VPN client. Please also match the 'route print' output of the client before and after connecting. One more thing, I hope that the local network is not 192.168.69.0.

HTH,

Please rate if it helps,

Regards,

Kamal

View solution in original post

Kamal Malhotra · ‎03-26-2007

Hi Matt,

The config looks good. Please make sure that you get a route for 192.168.69.0 255.255.255.0 network only after connecting with the VPN client. Please also match the 'route print' output of the client before and after connecting. One more thing, I hope that the local network is not 192.168.69.0.

HTH,

Please rate if it helps,

Regards,

Kamal

matt_heff · ‎03-26-2007

in the vpn client I do get a route for 192.168.69.0 255.255.255.0. the office LAN where the 1721 is located is 192.168.69.0/24. my home network is 192.168.1/24. the router assigns me an address in the 192.168.70.200-204/24 range when i connect. i was told on a previous post to use a different subnet in my ip pool for vpn clients than what is used internally on the network, so that's why i chose the 70 subnet. is this correct? i've played around with the config and still can't get it working! please help!

Matt

matt_heff · ‎03-26-2007

here's what route print looks like on my client before and after i connect using the vpn client:

Matt

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 30

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

169.254.0.0 255.255.0.0 169.254.25.142 169.254.25.142 20

169.254.0.0 255.255.0.0 169.254.218.201 169.254.218.201 20

169.254.25.142 255.255.255.255 127.0.0.1 127.0.0.1 20

169.254.218.201 255.255.255.255 127.0.0.1 127.0.0.1 20

169.254.255.255 255.255.255.255 169.254.25.142 169.254.25.142 20

169.254.255.255 255.255.255.255 169.254.218.201 169.254.218.201 20

192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 30

192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 30

192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 30

224.0.0.0 240.0.0.0 169.254.25.142 169.254.25.142 20

224.0.0.0 240.0.0.0 169.254.218.201 169.254.218.201 20

224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 30

255.255.255.255 255.255.255.255 169.254.25.142 169.254.25.142 1

255.255.255.255 255.255.255.255 169.254.218.201 4 1

255.255.255.255 255.255.255.255 169.254.218.201 169.254.218.201 1

255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1

Default Gateway: 192.168.1.1

Persistent Routes:

None

C:\Documents and Settings\heffernan_m>route print

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 30

68.23.38.220 255.255.255.255 192.168.1.1 192.168.1.100 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

169.254.0.0 255.255.0.0 169.254.25.142 169.254.25.142 20

169.254.0.0 255.255.0.0 169.254.218.201 169.254.218.201 20

169.254.25.142 255.255.255.255 127.0.0.1 127.0.0.1 20

169.254.218.201 255.255.255.255 127.0.0.1 127.0.0.1 20

169.254.255.255 255.255.255.255 169.254.25.142 169.254.25.142 20

169.254.255.255 255.255.255.255 169.254.218.201 169.254.218.201 20

192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 30

192.168.1.1 255.255.255.255 192.168.1.100 192.168.1.100 1

192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 30

192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 30

192.168.69.0 255.255.255.0 192.168.70.203 192.168.70.203 1

192.168.70.0 255.255.255.0 192.168.70.203 192.168.70.203 30

192.168.70.203 255.255.255.255 127.0.0.1 127.0.0.1 30

192.168.70.255 255.255.255.255 192.168.70.203 192.168.70.203 30

224.0.0.0 240.0.0.0 169.254.25.142 169.254.25.142 20

224.0.0.0 240.0.0.0 169.254.218.201 169.254.218.201 20

224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 30

224.0.0.0 240.0.0.0 192.168.70.203 192.168.70.203 30

255.255.255.255 255.255.255.255 169.254.25.142 169.254.25.142 1

255.255.255.255 255.255.255.255 169.254.218.201 169.254.218.201 1

255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1

255.255.255.255 255.255.255.255 192.168.70.203 4 1

255.255.255.255 255.255.255.255 192.168.70.203 192.168.70.203 1

Default Gateway: 192.168.1.1

===========================================================================

Persistent Routes:

None

Kamal Malhotra · ‎03-28-2007

Hi Matt,

Please try removing the 70.0 from the split tunnel config and test again.

HTH,

Please rate if it helps,

Regards,

Kamal

mlouis · ‎03-27-2007

Check this out.

You might want to enable

Nat transversal

kaachary · ‎03-31-2007

From config it seems this should work unless its a bug in 12.2 code.

I would like you to verify, if your split tunnel is working. When you are connected through VPN, and your local LAN access doesn't work, most likely it could be the split tunnel issue.

Also, please verify, if the "Stateful Firewall" on VPN client is turned off. If not, try turning it off.

-Kanishka

matt_heff · ‎04-01-2007

i finally got it. it was the dns settings under the crypto isakmp client configuration. i noticed this when i could ping internet hosts but not reach them by hostname.

thanks to everyone for all your help!

Matt

matt_heff · ‎04-02-2007

I got this working finally, but I have a question about the config. I don't quite understand the purpose of the loopback interface as needed for routing for the vpn clients. And I also don't quite get the need for the route-map that sets a next hop of 1.1.1.2 for traffic from the router to the vpn clients.

Thank you all for the help.

Matt