Unable to access LAN from VPN Client

Answered Question
Oct 28th, 2009
User Badges:

I have configured an 877 for VPN Client access. The Client authenticates and connects and gets an IP address off the IP pool. However, it cannot access anything on the IP network.


I've included my router's config. The VPN Client is v5.0.05.0290.


Any ideas as to what I am missing?



Correct Answer by vincent.monnier about 7 years 8 months ago

Can you try to revers our Client-VPN ACL, I think it's writen in the wrong way


For exemple :


ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip any 192.168.201.0 0.0.0.255


or more accurate


ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip 192.168.1..0 255.255.255.0 192.168.201.0 0.0.0.255


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vincent.monnier Wed, 10/28/2009 - 04:55
User Badges:

Hello,


I thinks it's a firewall (ACL) issue.


Once the IPSec packets have been decrypted, they are passing through the ACL configure on the External interface.


You should add a "permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255" at the begin of the ACL [ext-ACL-IN] protecting the WAN interface .

slmansfield Wed, 10/28/2009 - 06:23
User Badges:
  • Silver, 250 points or more

I'm wondering if ext-ACL-IN should also allow esp traffic.

clark-computers Wed, 10/28/2009 - 07:28
User Badges:

I have put in a statement permit esp in. Here is the output of show ip access-list ext-ACL-IN:


Extended IP access list ext-ACL-IN

5 permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255

10 deny tcp any any log fragments

20 deny udp any any log fragments

30 deny icmp any any log fragments

40 deny ip any any log fragments

50 deny ip any any option any-options

60 deny ip any any ttl lt 3

70 deny ip host 0.0.0.0 any

80 deny ip 127.0.0.0 0.255.255.255 any

90 deny ip 192.0.2.0 0.0.0.255 any

100 deny ip 224.0.0.0 31.255.255.255 any

110 deny ip 10.0.0.0 0.255.255.255 any

120 deny ip 172.16.0.0 0.15.255.255 any

130 deny ip 192.168.0.0 0.0.255.255 any

140 permit udp any eq domain any (3330 matches)

150 permit udp any eq ntp any (1700 matches)

160 permit udp any any eq isakmp (774 matches)

170 permit udp any any eq non500-isakmp (347 matches)

180 permit esp any any

190 permit icmp any any time-exceeded

200 permit icmp any any unreachable (159 matches)

210 permit icmp any any echo-reply

220 permit tcp any any established (87522 matches)

230 deny ip any any (1471 matches)


Also, attached is an output of the VPN client's route table: before and then after a connection is established.



slmansfield Wed, 10/28/2009 - 09:09
User Badges:
  • Silver, 250 points or more

Can you verify that the devices on your internal network have a route to the address pool used by the VPN client?

clark-computers Thu, 10/29/2009 - 02:47
User Badges:

I can confirm that this is the case. In fact, the router with the VPN Client config is the LAN default gateway as well.

Correct Answer
vincent.monnier Thu, 10/29/2009 - 03:29
User Badges:

Can you try to revers our Client-VPN ACL, I think it's writen in the wrong way


For exemple :


ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip any 192.168.201.0 0.0.0.255


or more accurate


ip access-list extended Client-VPN

remark *** permit Client VPN pool ***

permit ip 192.168.1..0 255.255.255.0 192.168.201.0 0.0.0.255


Actions

This Discussion