10-02-2007 09:36 AM
Hi
I have configured RTR1 to support VPN Clients. RTR1 has a site 2 site VPN tunnel with RTR 2.
VPN Clients connected to RTR1 have IP connectivity to RTR1 LAN. How do I get the VPN Client LAN to have access to RTR2 LAN?
I have included the VPN Client LAN to be ecrypted in the VPN tunnel to RTR2 LAN and Vice Versa. I have also tried a static router configured on RTR2 for the VPN Client LAN using RTR1 WAN IP as next hop.
Still not working for me. Any ideas?
Thanks
Solved! Go to Solution.
10-03-2007 08:03 AM
Has the other side added your remote VPN client pool to its configuration? The remote site needs to know its interesting traffic as well. Is RTR2 NAT'ing? Cleaned up configs for both routers would help a lot.
10-02-2007 10:08 AM
I haven't done it with an IOS router before but give this a try. Your split tunnel ACL for the remote VPN clients needs to have the remote RTR2 LAN subnet in it.
10-03-2007 04:57 AM
Sorry Mate!! you lost me there. I should have mentioned security is not my strongest skills. When you say split tunnel ACL, do you mean the ACL that permit the LANs of RTR1 and RTR2 over the tunnel. Maybe an example will help clarify this. Thanks in advance
10-03-2007 07:16 AM
Here's an example of the ACL I'm talking about. The split tunnel ACL must contain both the internal subnet and remote subnet via the site to site VPN.
ip access-list extended VPN-ACL
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.2.0 0.0.0.255 any
crypto isakmp client configuration group VPN
key blablabla
domain cisco.com
pool VPN-POOL
acl VPN-ACL
10-03-2007 07:58 AM
Hi,
I found the split tunnel ACL and have added the remote RTR2 LAN Subnet in it. I still cannot reach it. Just to make sure i was editing the correct ACL on RTR1, I removed one of the local subnets and I could not ping it from the VPN client.
10-03-2007 08:03 AM
Has the other side added your remote VPN client pool to its configuration? The remote site needs to know its interesting traffic as well. Is RTR2 NAT'ing? Cleaned up configs for both routers would help a lot.
10-03-2007 09:21 AM
Thanks Mate...it works now
10-03-2007 11:18 AM
Hi,
Thanks for solving the VPN client to remote LAN issue. I got another one I am struggling with.
I have the same two sites RTR1 and RTR2 acting as FW with site2site VPN. On RTR1 I have a static NAT for the exchange server.
From RTR2 site, I can connect on port 25 to the RTR1 exchange nated IP (Public IP) but not on the Private IP.
If I remove the one to one NAT entry for the exchange server, i can connect on port 25 on the private IP. How do i get both to work, connect to the exchange server on private and public IP on port 25?
10-03-2007 12:13 PM
It seems like we need a one to one NAT and route-map. Configs will help.
10-04-2007 09:32 AM
Thanks,
I would have paste the config, but there is just too much to edit.
i have the one to one NAT for the mail server. How do i use a route map to acheive users able to get to the mail server on the public IP address and on the private IP address via VPN Tunnel?
10-08-2007 06:35 AM
Here's an example of NAT with route-map to exclude VPN traffic.
!
ip access-list extended NO-NAT-ACL
deny ip host x.x.x.x y.y.y.y 0.0.0.255
permit ip host x.x.x.x any
!
route-map NO-NAT-ACL
match ip address NO-NAT-ACL
!
ip nat inside source static x.x.x.x 200.200.200.200
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide