Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
4
Replies

Remote Access VPN

wasiimcisco
Level 1
Level 1

‎05-10-2008 02:56 PM - edited ‎02-21-2020 03:43 PM

concentrator is connected with core switch and server 172.28.31.171(server) is also connected in core switch.

InterVLN routing is working fine. server and conncentrator is able to reach other via core switch.

concentrator private Ip address 172.28.31.92/248

VPN POOL: 172.28.31.128/248

Core switch Ip address is 172.28.31.91

Client is able to connect without any problem, but client not able to ping or connect with any network device.

In VPN session i can see bytes send and receive. My LAN-2-LAN tunnles are working fine without any problem.

No firewall involoved in the path between the concentrator and desired server 172.28.31.171.

Both connected on same switch but different VLAN. Inter VLAN routing is working and both are able to ping.

ONly remote access client 172.28.31.128/248 is not able to reach anywhere.

Core switch routing table

ip route 172.28.0.0 255.255.0.0 172.28.31.68

ip route 172.28.0.0 255.255.224.0 172.28.31.77

ip route 172.28.31.128 255.255.255.248 172.28.31.92

ip route 172.28.32.50 255.255.255.255 172.28.31.92

ip route 172.29.0.0 255.255.0.0 172.28.31.68

Concentrator routing table

172.28.31.160 255.255.255.224 via 172.28.31.91

172.28.92.0 255.255.255.0 via 172.28.31.91

172.29.0.0 255.255.0.0 via 172.28.31.91

192.168.0.0 255.255.0.0 via 172.28.31.91

172.28.31.170 255.255.255.255 via 172.28.31.91

Split tunnel is enable for

172.28.31.88/0.0.0.7

192.168.0.0/0.0.255.255

172.29.0.0/0.0.255.255

172.28.92.0/0.0.0.255

172.28.31.170/0.0.0.0

172.28.31.171/0.0.0.0

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎05-10-2008 07:24 PM

Hi, Im trying to dicypher your ip scheme and Im seeing something odd,

"ONly remote access client 172.28.31.128/248 is not able to reach anywhere."

you are using 172.28.31.128 for your vpn pool network with a 29bit mask, at least this is what your description entails , this network allows for a range of 8 addresses from 128 to 135, the 172.28.31.128 is the network addresss therefore it cannot be used for assigning it to any host, and 135 is broadcast address.

Jorge

Jorge Rodriguez
0 Helpful

wasiimcisco
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-11-2008 08:30 AM

172.28.31.128/248 is the pool that is defined on the vpn concentrator, client Ip start from 172.28.31.129-172.28.31.133.

client gets the ip 172.28.31.129 and still not able to reach the internal network. my site to site vpn are working fine, only problem with remote access vpn.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to wasiimcisco

‎05-11-2008 09:37 AM

On the concentrator in your vpn tunnel group for RA clients , under Client config tab do you have IPsec over UDP checked on, as well as IPec over udp port 1000, this is asuming clients are using default Ipsec over UDP port 1000 in their client settings.

You may also need to enable NAT-transparency under Tunneling Protocol\IPsec\NAT Transparency (Ipsec over NAT-T).

Jorge Rodriguez
0 Helpful

wasiimcisco
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-12-2008 04:28 AM

my dear there is no firewall or NAT device between the client and server, it is simply conncentrator that is connected with switch, and server is also connected with that switch.

0 Helpful
Customers Also Viewed These Support Documents