Solved: VPN Access

townofnewmarket · ‎10-27-2008

Redoing our network to remove the .1 subnet and replace it with a .12 subnet. I can successfully authenticate from home, but I am unable to connect to any of the .12 boxes on the network.

Here's snippets of my config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 103 remark IP Access for 10 range

access-list 103 permit ip host 192.168.10.1 192.168.2.0 255.255.255.0

pager lines 24

logging host inside 192.168.1.3

mtu outside 1500

mtu inside 1500

ip address inside 192.168.1.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.2.1-192.168.2.200

ip local pool remoteuser 192.168.2.201-192.168.2.254

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route inside 192.168.5.0 255.255.255.0 192.168.1.210 1

route inside 192.168.6.0 255.255.255.0 192.168.1.210 1

route inside 192.168.9.0 255.255.255.0 192.168.1.254 1

route inside 192.168.10.0 255.255.255.0 192.168.1.254 1

route inside 192.168.11.0 255.255.255.0 192.168.1.254 1

route inside 192.168.12.0 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

vpngroup new address-pool ippool

vpngroup new dns-server 192.168.1.4

vpngroup new split-tunnel 101

vpngroup new idle-time 1800

vpngroup new password ********

vpngroup rjordan address-pool remoteuser

vpngroup rjordan dns-server 192.168.1.4

vpngroup rjordan split-tunnel 102

vpngroup rjordan idle-time 1800

vpngroup rjordan password ********

vpngroup tenrange address-pool remoteuser

vpngroup tenrange dns-server 192.168.1.4

vpngroup tenrange split-tunnel 103

vpngroup tenrange idle-time 1800

vpngroup tenrange password ********

ajagadee · ‎10-27-2008

Hi,

Are you connecting to VPNGroup new or a different one. If you are connecting the "new" group and not able to access the 192.168.12.0 subnet, make sure that you bypass NAT for VPN Client Traffic. Include this below access-list and do the testing again.

access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0

Regards,

Arul

*Pls rate if it helps*

View solution in original post

ajagadee · ‎10-27-2008

Hi,

Are you connecting to VPNGroup new or a different one. If you are connecting the "new" group and not able to access the 192.168.12.0 subnet, make sure that you bypass NAT for VPN Client Traffic. Include this below access-list and do the testing again.

access-list nonat permit ip 192.168.12.0 255.255.255.0 192.168.2.0 255.255.255.0

Regards,

Arul

*Pls rate if it helps*