Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
7
Replies

Remote site VPN users not able to access the LAN(Remote)

CiscogeekIND
Level 1
Level 1

‎07-21-2008 03:19 AM

I have configured remote site vpn with domain authentication. VPN client users are able to login to the VPN and they are authenticating with Domain controller. But they are unable to access the LAN(remote). Please find the configuration below.

access-list inside_nat0_outbound extended permit ip any 10.100.100.0 255.255.255.0

ip local pool vpnpool 10.100.100.1-10.100.100.254 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0

route inside 172.0.0.0 255.0.0.0 172.x.x.x

route outside 0.0.0.0 0.0.0.0 x.x.x.x

aaa-server India protocol nt

aaa-server India (inside) host 172.x.x.x

nt-auth-domain-controller domaincontroller

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map dynamic 30 set reverse-route

crypto dynamic-map dynamic 30 set pfs

crypto dynamic-map dynamic 30 set transform-set ESP-AES-128-SHA

crypto map vpn 10 ipsec-isakmp dynamic dynamic

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

group-policy gpolicy internal

group-policy gpolicy attributes

dns-server value 172.x.x.x

vpn-tunnel-protocol IPSec

default-domain value domaincontroller

tunnel-group vpngroup type ipsec-ra

tunnel-group vpngroup general-attributes

address-pool vpnpool

authentication-server-group India

default-group-policy gpolicy

tunnel-group vpngroup ipsec-attributes

pre-shared-key *

Earlier same with same configuration it was working, but i have upgraded the IOS from 7.2 to 8.0.

after that it is not working.

Earlier using 7.2 IOS also i got the same problem, but when i used the command crypto isakmp nat-traversal 20 it worked.

Now after issuing this command doen's help me.

Can anybody please help me in this matter.

Thanks in Advance

Labels:
0 Helpful
7 Replies 7

a.alekseev
Level 7
Level 7

‎07-21-2008 04:42 AM

What do you mean "they are unable to access the LAN(remote)"?

What is LAN(remote)?

0 Helpful

CiscogeekIND
Level 1
Level 1
In response to a.alekseev

‎07-21-2008 05:00 AM

able to login to VPN network. but not able to access the LAN of remote network.

0 Helpful

a.alekseev
Level 7
Level 7
In response to CiscogeekIND

‎07-21-2008 06:00 AM

show the output "sh crypto isce sa" when a vpn client is connected.

0 Helpful

CiscogeekIND
Level 1
Level 1
In response to a.alekseev

‎07-21-2008 06:31 AM

Please find the output.

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.100.100.1/255.255.255.255/0/0)

current_peer: x.x.x.x, username: 210565

dynamic allocated peer ip: 10.100.100.1

#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22

#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/60577

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: B57D7473

inbound esp sas:

spi: 0x5742F7E0 (1464006624)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28775

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xB57D7473 (3044897907)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28771

IV size: 16 bytes

replay detection support: Y

0 Helpful

a.alekseev
Level 7
Level 7
In response to CiscogeekIND

‎07-21-2008 06:37 AM

you have encrypted and decrypted packets.

and you negotiated NAT-T

so your vpn is working.

if you want continue - give more details.

0 Helpful

CiscogeekIND
Level 1
Level 1
In response to a.alekseev

‎07-21-2008 06:44 AM

Here it looks everything fine, but the thing is.

My LAN network is 172.0.0.0 series and client will get 10.10.10.0 series. Client is getting the IP address but unable to access the 172.0.0.0 series.

If required more inputs then i will provide.

0 Helpful

a.alekseev
Level 7
Level 7
In response to CiscogeekIND

‎07-21-2008 10:48 AM

show the configuration :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents