Solved: VPN Clinet using Cisco IOS Firewall

p.holley · ‎10-02-2007

Hi

I have configured RTR1 to support VPN Clients. RTR1 has a site 2 site VPN tunnel with RTR 2.

VPN Clients connected to RTR1 have IP connectivity to RTR1 LAN. How do I get the VPN Client LAN to have access to RTR2 LAN?

I have included the VPN Client LAN to be ecrypted in the VPN tunnel to RTR2 LAN and Vice Versa. I have also tried a static router configured on RTR2 for the VPN Client LAN using RTR1 WAN IP as next hop.

Still not working for me. Any ideas?

Thanks

palomoj · ‎10-03-2007

Has the other side added your remote VPN client pool to its configuration? The remote site needs to know its interesting traffic as well. Is RTR2 NAT'ing? Cleaned up configs for both routers would help a lot.

View solution in original post

palomoj · ‎10-02-2007

I haven't done it with an IOS router before but give this a try. Your split tunnel ACL for the remote VPN clients needs to have the remote RTR2 LAN subnet in it.

p.holley · ‎10-03-2007

Sorry Mate!! you lost me there. I should have mentioned security is not my strongest skills. When you say split tunnel ACL, do you mean the ACL that permit the LANs of RTR1 and RTR2 over the tunnel. Maybe an example will help clarify this. Thanks in advance

palomoj · ‎10-03-2007

Here's an example of the ACL I'm talking about. The split tunnel ACL must contain both the internal subnet and remote subnet via the site to site VPN.

ip access-list extended VPN-ACL

permit ip 10.1.1.0 0.0.0.255 any

permit ip 10.1.2.0 0.0.0.255 any

crypto isakmp client configuration group VPN

key blablabla

domain cisco.com

pool VPN-POOL

acl VPN-ACL

p.holley · ‎10-03-2007

Hi,

I found the split tunnel ACL and have added the remote RTR2 LAN Subnet in it. I still cannot reach it. Just to make sure i was editing the correct ACL on RTR1, I removed one of the local subnets and I could not ping it from the VPN client.

palomoj · ‎10-03-2007

Has the other side added your remote VPN client pool to its configuration? The remote site needs to know its interesting traffic as well. Is RTR2 NAT'ing? Cleaned up configs for both routers would help a lot.

p.holley · ‎10-03-2007

Thanks Mate...it works now

p.holley · ‎10-03-2007

Hi,

Thanks for solving the VPN client to remote LAN issue. I got another one I am struggling with.

I have the same two sites RTR1 and RTR2 acting as FW with site2site VPN. On RTR1 I have a static NAT for the exchange server.

From RTR2 site, I can connect on port 25 to the RTR1 exchange nated IP (Public IP) but not on the Private IP.

If I remove the one to one NAT entry for the exchange server, i can connect on port 25 on the private IP. How do i get both to work, connect to the exchange server on private and public IP on port 25?

palomoj · ‎10-03-2007

It seems like we need a one to one NAT and route-map. Configs will help.

p.holley · ‎10-04-2007

Thanks,

I would have paste the config, but there is just too much to edit.

i have the one to one NAT for the mail server. How do i use a route map to acheive users able to get to the mail server on the public IP address and on the private IP address via VPN Tunnel?

palomoj · ‎10-08-2007

Here's an example of NAT with route-map to exclude VPN traffic.

!

ip access-list extended NO-NAT-ACL

deny ip host x.x.x.x y.y.y.y 0.0.0.255

permit ip host x.x.x.x any

!

route-map NO-NAT-ACL

match ip address NO-NAT-ACL

!

ip nat inside source static x.x.x.x 200.200.200.200

!