vpn issue, can connect but can,t go anywhere

Answered Question
Aug 4th, 2007

hi,

I have my home 2621xm router and I've configured my router as a vpn server and I can connect to it using vpn client but that's all I can do. I can not ping or go anywhere. I can't find any documents on cisco or google that can help me here so there I am.

basically I give the vpn client the ip 192.168.6.X then I want the client to be able to go everywhere, in the 192.168.1.X, 5.X and 10.X range.

any help would be greately appreciated!!

I have this problem too.
0 votes
Correct Answer by mattiaseriksson about 9 years 4 months ago

Hi, in addition to the reverse route statement, you also need to exempt the vpn traffic from nat.

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 122 permit ip 192.168.5.0 0.0.0.255 any

access-list 122 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 122 interface Dialer1 overload

Correct Answer by Premdeep Banga about 9 years 4 months ago

try,

crypto dynamic-map VTELDYNAMAP 10

reverse-route

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mattiaseriksson Sat, 08/04/2007 - 13:25

Hi, in addition to the reverse route statement, you also need to exempt the vpn traffic from nat.

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 122 permit ip 192.168.5.0 0.0.0.255 any

access-list 122 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 122 interface Dialer1 overload

pamirian76 Sun, 08/05/2007 - 02:34

it worked! thanks for the help.

one more thing perhaps you can help me with.

now how would I block users access to some of the stuff? lets's say I want them to go on 192.168.5.x but not on 192.168.5.55?

also, I use the whole 192.168.6.x range for the vpn clients, can I do so that this range because a vlan 6? because right now it's part of the native vlan I think?

thank you!!

pamirian76 Sun, 08/05/2007 - 03:24

also, is it possible to have let,s say a group where 1 user can access everything and the others access only stuff in the 10.x network or I'll need to create a second group to do what I want to do?

Premdeep Banga Sun, 08/05/2007 - 08:15

As you want such a granularity. What I can suggest is Downloadable ACL's or cisco-av pairs, that are pushed from a Radius server.

using that feature you can restrict users on per per group or per user basis to any limit you want.

Below provided link is from Cisco ACS doc:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775

Regards,

Prem

aarontran Sun, 08/05/2007 - 14:58

I am having the same problem as you are trying to setup Cisco 1751 as VPN server, and using Cisco VPN client software. Can you post the working config file for me to examine? Thanks

Actions

This Discussion