Remote Access VPN clients on LAN IP range

Unanswered Question

I need to setup a VPN Client configuration where the clients receive an IP on the LAN IP address range.

Attached is my config with the pool in its own range.(non-pertinent configuration excluded)

I've modified my pool to place the clients in a range within the LAN ip scheme. I have also modified my 110 ACL to exclude the NAT and my 111 ACL to allow for split-tunneling by the client.

When I connect, I get the proper address but I am unable to ping any devices internally.

Any suggestions as to the configuration or troubleshooting would be appreciated. I have seen documentaiton that it will not work in the form of TAC cases and config guides, but they were specific to ASA and Pix devices. I have not found any configuration guides of IOS routers showing examples of this configuration, but I did see mention in a config guide that said "if you assign addresses from a non-local subnet" which tells me that it is an option to assign local addresses.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
guibarati Thu, 09/13/2007 - 15:34

you can not assign local lan IP addresses to the vpn clients, if you do so, when you try to access some host in your network this accessed host will "think" the source of the traffic is local, since it's under the same network, and will never go to the default gateway, or some gateway to reach the host who first originated the traffic.

If you really need the internal hosts access an internal ip address that is in the VPN you need to configure a different range for your network, other then the internal one, then you have to configure a nat for this client's IP addresses, something like.. ip nat outside sourse...

please rate if helps

It's a good idea, but I would appreciate some assistance on the config part.

The only way I can see that working is to terminate the VPN to a loopback and set that as the NAT interface. Ideas on how I can do this? I'm working with a setup that has a 2811 at a head end and 871s at the remote sites in a hub and spoke setup.

It is at each of these sites that I need the is ability. Currently, I'm using a simple IPSec VPN setup with a mixed static and dynamic map.

I'm thinking the way to do this is to move from a simple IPSec to a IPSec over GRE vpn setup, but I have no experience with this. Any suggestions would be greatly appreciated.

My site-to-site VPN connections are fine, it's the remote access clients that I need to look as though they are on the LAN. Now, this may work if I can set a subset of something like 8 addreses within my LAN range as the "nat pool" for the addresses handed out by my "ip local pool" to the clients.

I'll post back what I figure out.

a.alekseev Tue, 09/18/2007 - 07:32

try this

crypto dynamic-map dyn_map 1


ip local pool ippool

access-list 110 deny ip

Again, my issue is not that I am having routing issues. I can route just fine. My issue is that my VPN Client machiens (the ones running the Cisco VPN Client software) must look as though they are on the LAN. I have to make their addresses be in the same address range as my LAN or NAT the pool that I hand to them to a range within my LAN.

guibarati Tue, 09/18/2007 - 07:13

Ok, let's go

you should assign a pool that has a diferent range than your internal like

ip pool vpn_pool

then you must NAT it to make it seems it came from inside to whatever you want to be the destination, then do the following

configure your external interface as "nat outside"

fastethernet 0/0

ip nat outside

Configure your internal interface as "nat inside"

fastethernet 0/1

ip nat inside

configure the NAT

ip nat outside sourse static network

please rate if helps


This Discussion