VPN Clinet using Cisco IOS Firewall

Answered Question
Oct 2nd, 2007
User Badges:


I have configured RTR1 to support VPN Clients. RTR1 has a site 2 site VPN tunnel with RTR 2.

VPN Clients connected to RTR1 have IP connectivity to RTR1 LAN. How do I get the VPN Client LAN to have access to RTR2 LAN?

I have included the VPN Client LAN to be ecrypted in the VPN tunnel to RTR2 LAN and Vice Versa. I have also tried a static router configured on RTR2 for the VPN Client LAN using RTR1 WAN IP as next hop.

Still not working for me. Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
p.holley Wed, 10/03/2007 - 04:57
User Badges:

Sorry Mate!! you lost me there. I should have mentioned security is not my strongest skills. When you say split tunnel ACL, do you mean the ACL that permit the LANs of RTR1 and RTR2 over the tunnel. Maybe an example will help clarify this. Thanks in advance

Here's an example of the ACL I'm talking about. The split tunnel ACL must contain both the internal subnet and remote subnet via the site to site VPN.

ip access-list extended VPN-ACL

permit ip any

permit ip any

crypto isakmp client configuration group VPN

key blablabla

domain cisco.com



p.holley Wed, 10/03/2007 - 07:58
User Badges:


I found the split tunnel ACL and have added the remote RTR2 LAN Subnet in it. I still cannot reach it. Just to make sure i was editing the correct ACL on RTR1, I removed one of the local subnets and I could not ping it from the VPN client.

p.holley Wed, 10/03/2007 - 11:18
User Badges:


Thanks for solving the VPN client to remote LAN issue. I got another one I am struggling with.

I have the same two sites RTR1 and RTR2 acting as FW with site2site VPN. On RTR1 I have a static NAT for the exchange server.

From RTR2 site, I can connect on port 25 to the RTR1 exchange nated IP (Public IP) but not on the Private IP.

If I remove the one to one NAT entry for the exchange server, i can connect on port 25 on the private IP. How do i get both to work, connect to the exchange server on private and public IP on port 25?

p.holley Thu, 10/04/2007 - 09:32
User Badges:


I would have paste the config, but there is just too much to edit.

i have the one to one NAT for the mail server. How do i use a route map to acheive users able to get to the mail server on the public IP address and on the private IP address via VPN Tunnel?


This Discussion