Remote LAN access after VPN connection is made

Unanswered Question

Using a 2811 ona router with 3 serial interfaces. I configured VPN on interface 0/2/0. The vpn pool is on subnet 172.16.5.0/24. All my servers are on 172.16.1.0/24. If Itry to connect internally between the 2 subnets it works fine. However when I try from a remote location using Cisco VPN client I am unable to get to anything after the VPN connection is established

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 03/31/2009 - 11:23

Can you post your configuration? Do you have the proper no nat statements in place?

Ivan Martinon Mon, 04/13/2009 - 07:01

I see 2 things that must be changed on your config.

First, you are using a pool that falls within the LAN range, 172.16.5.0/25 (Fa0/0) being a class C /24 subnet covers the pool range and it thinks it has that ip range directly connected via that interface, I would use a different range instead.

Second, you are missing the No Nat statements bypassing the return vpn traffic from being NATed.

Once you have defined a different range for the pool go ahead and make the needed nat changes that should look like this:

ip access-list ext nonat

deny ip 172.16.1.0 0.0.0.255

deny ip 172.16.5.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

permit ip 172.16.2.0 0.0.0.255 any

permit ip 172.16.3.0 0.0.0.255 any

permit ip 172.16.4.0 0.0.0.255 any

ip nat inside source list nonat pool capturet overload

You would need to figure out your nats the way you need them, however the nat bypass is required for vpn traffic

I configured the NAT pool range on 172.16.6.0/24 and created the access list as shown above. = <172.16.6.0 0.0.0.255>

However after I connect VPN my IP config for the VPN client interface is:

IP address..............172.16.6.40

Subnet Mask.............255.255.0.0

Gateway.................172.16.0.1

DNS.....................172.16.1.7

What went wrong?

Ivan Martinon Tue, 04/14/2009 - 06:32

Sorry I don't follow, to what did you make the change? can you post your updated config?

Ivan Martinon Tue, 04/14/2009 - 06:49

OK, thanks, you left those lines there:

ip nat inside source list 12 pool capturet overload

ip nat inside source list 13 pool capturevpn overload

These are overriding the nat you define after.

Ivan Martinon Tue, 04/14/2009 - 07:03

when using vpn yes, you have to reconfigure the way you use nat, as I explained at earlier, vpn clients need to bypass nat, with the standard setup you have you will always nat the reply back from the internal and this is not what you need, at least not for the vpn, implications well you will need to refresh your nat tables (clear then) to be able to remove those, but since you have another nat rule that covers the same set of networks/nat rules it should not cause any major downtime.

Ivan Martinon Thu, 04/16/2009 - 05:55

So you get connected, you get an ip address and what are you trying to do after you connect?

Actions

This Discussion