vpn issue, can connect but can,t go anywhere

Answered Question
Aug 4th, 2007
User Badges:

hi,

I have my home 2621xm router and I've configured my router as a vpn server and I can connect to it using vpn client but that's all I can do. I can not ping or go anywhere. I can't find any documents on cisco or google that can help me here so there I am.


basically I give the vpn client the ip 192.168.6.X then I want the client to be able to go everywhere, in the 192.168.1.X, 5.X and 10.X range.


any help would be greately appreciated!!



Correct Answer by mattiaseriksson about 9 years 10 months ago

Hi, in addition to the reverse route statement, you also need to exempt the vpn traffic from nat.


access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 122 permit ip 192.168.5.0 0.0.0.255 any

access-list 122 permit ip 192.168.10.0 0.0.0.255 any


ip nat inside source list 122 interface Dialer1 overload

Correct Answer by Premdeep Banga about 9 years 10 months ago

try,


crypto dynamic-map VTELDYNAMAP 10

reverse-route


Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Premdeep Banga Sat, 08/04/2007 - 11:01
User Badges:
  • Gold, 750 points or more

try,


crypto dynamic-map VTELDYNAMAP 10

reverse-route


Regards,

Prem

Correct Answer
mattiaseriksson Sat, 08/04/2007 - 13:25
User Badges:
  • Bronze, 100 points or more

Hi, in addition to the reverse route statement, you also need to exempt the vpn traffic from nat.


access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 deny ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 122 permit ip 192.168.5.0 0.0.0.255 any

access-list 122 permit ip 192.168.10.0 0.0.0.255 any


ip nat inside source list 122 interface Dialer1 overload

pamirian76 Sun, 08/05/2007 - 02:34
User Badges:

it worked! thanks for the help.


one more thing perhaps you can help me with.


now how would I block users access to some of the stuff? lets's say I want them to go on 192.168.5.x but not on 192.168.5.55?


also, I use the whole 192.168.6.x range for the vpn clients, can I do so that this range because a vlan 6? because right now it's part of the native vlan I think?


thank you!!



pamirian76 Sun, 08/05/2007 - 03:24
User Badges:

also, is it possible to have let,s say a group where 1 user can access everything and the others access only stuff in the 10.x network or I'll need to create a second group to do what I want to do?

Premdeep Banga Sun, 08/05/2007 - 08:15
User Badges:
  • Gold, 750 points or more

As you want such a granularity. What I can suggest is Downloadable ACL's or cisco-av pairs, that are pushed from a Radius server.


using that feature you can restrict users on per per group or per user basis to any limit you want.


Below provided link is from Cisco ACS doc:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp696775


Regards,

Prem

aarontran Sun, 08/05/2007 - 14:58
User Badges:

I am having the same problem as you are trying to setup Cisco 1751 as VPN server, and using Cisco VPN client software. Can you post the working config file for me to examine? Thanks

Actions

This Discussion