Remote site VPN users not able to access the LAN(Remote)

Unanswered Question
Jul 21st, 2008

I have configured remote site vpn with domain authentication. VPN client users are able to login to the VPN and they are authenticating with Domain controller. But they are unable to access the LAN(remote). Please find the configuration below.

access-list inside_nat0_outbound extended permit ip any 10.100.100.0 255.255.255.0

ip local pool vpnpool 10.100.100.1-10.100.100.254 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0

route inside 172.0.0.0 255.0.0.0 172.x.x.x

route outside 0.0.0.0 0.0.0.0 x.x.x.x

aaa-server India protocol nt

aaa-server India (inside) host 172.x.x.x

nt-auth-domain-controller domaincontroller

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map dynamic 30 set reverse-route

crypto dynamic-map dynamic 30 set pfs

crypto dynamic-map dynamic 30 set transform-set ESP-AES-128-SHA

crypto map vpn 10 ipsec-isakmp dynamic dynamic

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

group-policy gpolicy internal

group-policy gpolicy attributes

dns-server value 172.x.x.x

vpn-tunnel-protocol IPSec

default-domain value domaincontroller

tunnel-group vpngroup type ipsec-ra

tunnel-group vpngroup general-attributes

address-pool vpnpool

authentication-server-group India

default-group-policy gpolicy

tunnel-group vpngroup ipsec-attributes

pre-shared-key *

Earlier same with same configuration it was working, but i have upgraded the IOS from 7.2 to 8.0.

after that it is not working.

Earlier using 7.2 IOS also i got the same problem, but when i used the command crypto isakmp nat-traversal 20 it worked.

Now after issuing this command doen's help me.

Can anybody please help me in this matter.

Thanks in Advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Mon, 07/21/2008 - 04:42

What do you mean "they are unable to access the LAN(remote)"?

What is LAN(remote)?

psureshrao Mon, 07/21/2008 - 05:00

able to login to VPN network. but not able to access the LAN of remote network.

a.alekseev Mon, 07/21/2008 - 06:00

show the output "sh crypto isce sa" when a vpn client is connected.

psureshrao Mon, 07/21/2008 - 06:31

Please find the output.

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.100.100.1/255.255.255.255/0/0)

current_peer: x.x.x.x, username: 210565

dynamic allocated peer ip: 10.100.100.1

#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22

#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/60577

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: B57D7473

inbound esp sas:

spi: 0x5742F7E0 (1464006624)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28775

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xB57D7473 (3044897907)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28771

IV size: 16 bytes

replay detection support: Y

a.alekseev Mon, 07/21/2008 - 06:37

you have encrypted and decrypted packets.

and you negotiated NAT-T

so your vpn is working.

if you want continue - give more details.

psureshrao Mon, 07/21/2008 - 06:44

Here it looks everything fine, but the thing is.

My LAN network is 172.0.0.0 series and client will get 10.10.10.0 series. Client is getting the IP address but unable to access the 172.0.0.0 series.

If required more inputs then i will provide.

Actions

This Discussion