VPN clients cannot access to non-native vlans

Unanswered Question
Jan 2nd, 2009

Hi, I have configured a 877 as a Easy VPN server. When a client connects to the VPN we can only reach the native vlan:

VPN clients: 192.168.2.0/24

VLAN 1(native): 192.168.1.0/24

VLAN 100 (voice): 192.168.100.0/24

There must be something wrong in the config, but I can't find the error. This is my config:

aaa new-model

!

!

aaa group server radius sdm_vpn_xauth_ml_1

server 192.168.1.201 auth-port 1645 acct-port 1646

!

aaa group server radius sdm_vpn_group_ml_1

server 192.168.1.201 auth-port 1645 acct-port 1646

!

aaa authentication login sdm_vpn_xauth_ml_1 group radius local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

aaa session-id common

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool DHCP_pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.2

dns-server 192.168.1.3 80.58.61.250 80.58.61.254

netbios-name-server 192.168.1.3

domain-name nirgal.es

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name nirgal

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNNirgal

key 08nirgal0708

dns 192.168.1.3

wins 192.168.1.3

domain nirgal

pool SDM_POOL_1

acl 100

max-users 254

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group VPNNirgal

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-AES128-SHA

set isakmp-profile sdm-ike-profile-1

!

!

archive

log config

hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address <public ip> <netmask>

ip nat outside

ip virtual-reassembly

pvc 8/32

encapsulation aal5snap

!

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

ip unnumbered ATM0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description LOCAL LAN

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 <next hop public ip>

ip route 0.0.0.0 0.0.0.0 192.168.1.252 2

ip route 192.168.100.5 255.255.255.255 192.168.100.254

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map No_NAT interface ATM0.1 overload

!

!

access-list 100 remark VPN_CLIENTE

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 remark NAT_INSIDE_VPN

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

no cdp run

!

!

route-map No_NAT permit 1

match ip address 101

!

radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key 7 <key>

!

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion