VPN connections: impossible to ping network's machines

Unanswered Question
Mar 9th, 2008

Hello,

I have configured a Cisco 857 device. I can connect to the internet. I can also establish VPN connections remotely.

However, once I have established a VPN connection, I cannot ping any system on the company LAN.

I have seen several posts on these forums but I couldn't configure properly my router.

I attach my config. Is it possible to know what corrections I should do?

My LAN IPs are 10.0.0.x with a subnet mask 255.0.0.0.

For my remote clients, I have now configured it to use 255.0.1.x.

Thanks and regards,

MaC

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
cisco24x7 Sun, 03/09/2008 - 10:31

I can see in your configuration that you use

split-tunneling, which is fine.

However, I think you need add the following

line in the configuration so that your router

will NOT NAT traffics when going from 10.0.0.0/8 to 255.0.1.x/24:

no access-list 120

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.255.255.255 255.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

That way, the traffics from 10.0.0.0/8 will not be NATted when going to

255.0.1.0/24 for the VPN.

CCIE Security

MaCFoxtrot Sun, 03/09/2008 - 10:59

Hello,

To what does 255.0.1.x/24 refer? Is this a special range?

Wouldn't you rather mean 10.0.1.x/8 as 10.0.1.x will be the IP of the clients?

Regards,

MaCFoxtrot Sun, 03/09/2008 - 11:23

Correction to my first post: "For my remote clients, I have now configured it to use 10.0.1.x."

Regards,

MaCFoxtrot Sun, 03/09/2008 - 11:37

Here is the current state of my access lists; still nothing working:

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

Regards,

MaCFoxtrot Sat, 03/22/2008 - 03:50

Hello,

The problem is now solved.

It was related to the fact that as well my company network and my VPN client pool were using IPs in the same subnet.

Regards,

Actions

This Discussion