Unable to connect network from Cisco Client VPN

Unanswered Question
Apr 12th, 2010
User Badges:
  • Blue, 1500 points or more

Hi All,


I have 1841 and configured below client vpn


crypto isakmp client configuration group xxxxx
key xxxxxxxxxxx
dns 10.28.x.xx 10.12.x.xx
wins 10.28.x.xx
domain xxxxxx
pool GBIT
acl 2001


ip local pool GBIT 192.168.xxx.xxx 192.168.xxx.xxx


access-list 2001 permit ip 10.13.0.0 0.0.255.255 any
access-list 2001 permit ip 10.12.1.0 0.0.0.255 any
access-list 2001 permit ip 10.246.0.0 0.0.255.255 any
access-list 2001 permit ip 10.28.0.0 0.0.255.255 any


The problem here is, I am able to connect the client VPN from ourside world but after connected I am not able to access any of the network which is defined in "acl 2001"


Experts, can someone suggest where is the problem.


Regards,
Naidu.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Mon, 04/12/2010 - 03:36
User Badges:
  • Cisco Employee,

Double check that you have configured NAT exemption for the VPN traffic.

Latchum Naidu Mon, 04/12/2010 - 03:52
User Badges:
  • Blue, 1500 points or more

Hi Halijenn,


Thanks for your response,


There is no any NAT excemptions for VPN traffic.

And one morething the same configuration is working fine with another router with different public IP



Regards,

Naidu.

Jennifer Halim Mon, 04/12/2010 - 04:09
User Badges:
  • Cisco Employee,

What do you mean by there is no NAT exemption for VPN traffic? Do you have NAT statement at all on your router? If you do, you would need to configure ACL to deny the VPN traffic from being NATed. Please share config for further help.

Latchum Naidu Mon, 04/12/2010 - 04:47
User Badges:
  • Blue, 1500 points or more

Hi Halijenn,


Sorry for missunderstood, Yes we have denied VPN traffic in NAT

Please find the below NAT configuration for the same.


no ip http server
no ip http secure-server
ip nat pool nonat 193.xxx.xxx.x 193.xxx.xxx.x netmask 255.255.255.0
ip nat source static 195.xx.x.xx 10.xx.x.xx route-map DKRGLDAP extendable
ip nat source static 10.xx.x.xx 195.xx.x.xx route-map DKRGLDAP extendable
ip nat inside source route-map nonat pool nonat overload


ip access-list extended NONAT

deny   ip 10.246.0.0 0.0.255.255 192.168.xx.0 0.0.0.255

deny   ip 10.28.0.0 0.0.255.255 192.168.xx.0 0.0.0.255


Regards,

Naidu.

Jennifer Halim Mon, 04/12/2010 - 04:51
User Badges:
  • Cisco Employee,

These static looks incorrect:

ip nat source static 195.xx.x.xx 10.xx.x.xx route-map DKRGLDAP  extendable
ip nat source static 10.xx.x.xx 195.xx.x.xx route-map  DKRGLDAP extendable


Are you configuring the same static statement bidirectionally? If you do, you don't need the first line.


Please share the whole config. Base on part of the config provided, it seems correct.

Latchum Naidu Mon, 04/12/2010 - 07:54
User Badges:
  • Blue, 1500 points or more

Hi halijenn


The two NAT statements are for in and out with defined routemaps

Please find the attached config and suggest me where I am wrong.



Regards,

Naidu.

Attachment: 
Jennifer Halim Mon, 04/12/2010 - 23:18
User Badges:
  • Cisco Employee,

Base on the sanitized config, it seems like the ip pool for the vpn is in the same subnet as fa0/1 (your internal subnet). Please change the ip pool to something totally different (another unique subnet).


Then you would need to change ACL 2001 and nonat accordingly with the new ip pool subnet.


Then you would need to configure static route for the pool: ip route xxx.xxx.xxx.xxx 255.255.255.0 193.xxx.xxx.x


Lastly, make sure that your internal router routes traffic towards the ip pool subnet towards this router fa0/1 interface (192.168.xxx.xx).

Latchum Naidu Tue, 04/13/2010 - 03:05
User Badges:
  • Blue, 1500 points or more

Hi Halijenn,


The ip pool for the vpn (192.168.10.200 - 192.168.10.250) and ip on fa0/1 (192.168.99.11) are entirely different subnets.

And as i mentioned in my prevois post, the same config is working fine in another 1841 router.


Regards,

Naidu.

Jennifer Halim Tue, 04/13/2010 - 03:39
User Badges:
  • Cisco Employee,

I see that you are running OSPF as the routing protocols, please make sure that if the internal router has route towards the ip pool subnet (192.168.10.0/24) towards the VPN router (fa0/1 - 192.168.99.11).


Alternatively, you can configure "reverse-route" on your vpn client group policy, and redistribute static on your OSPF and that would automatically redistribute the pool to the internal routers once the vpn client is connected.

Actions

This Discussion