Cannot access all subnets while connected by VPN

Answered Question
Sep 23rd, 2010
User Badges:

I am a total newbie when it comes to cisco and routing, so forgive me if this has been answered before.


We have a cisco 2821 router that is supporting VPN connections. Our LAN is a /22 (255.255.252.0) xxx.xxx.0 .0 xxx.xxx.1.0 xxx.xxx.2.0 xxx.xxx.3.0 subnets. I can connect through VPN and I can access my xxx.xxx.1.0 subnet with no problems. However, I cannot access the xxx.xxx.2.0 and xxx.xxx.3.0 subnets.


I don't even know where to start. I have seen similiar threads, but I need it "dumbed down" for me. Preferably solutions that I can apply through the SDM. I am terrible with the CLS.


Thank you for any help provided!! :-)

Correct Answer by Diego Armando C... about 6 years 7 months ago

Here it is


access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255


your clients are getting the address pool of 10.1.255.0 0.0.0.255


to permit access to any other network in your lan from the vpn client


access-list 199 permit ip    10.1.255.0 0.0.0.255


You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat


access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255


notice that you are using a deny and that is to tell the router to do NO NAT that traffic.




I hope it helps.. Let me know

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Armando C... Thu, 09/23/2010 - 14:12
User Badges:
  • Bronze, 100 points or more

What kind of VPn is it? A site.to-site vpn? Check the ACL for the interesting traffic and your no-nat. If it's a Remote VPN that uses a VPN cliente chen check the ACL for Split tunnel.  Post the current config that way we will be able to help you.

jemini0415 Thu, 09/23/2010 - 16:31
User Badges:

Please see attached running config. It appears that we are using EasyVPN server. We use the cisco client to connect. My guess is that ACL 199 is the one that is constraining the subnet access, however I don't quite understand the format. Thank you for your help!!!!

Correct Answer
Diego Armando C... Fri, 09/24/2010 - 07:36
User Badges:
  • Bronze, 100 points or more

Here it is


access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255


your clients are getting the address pool of 10.1.255.0 0.0.0.255


to permit access to any other network in your lan from the vpn client


access-list 199 permit ip    10.1.255.0 0.0.0.255


You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat


access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255


notice that you are using a deny and that is to tell the router to do NO NAT that traffic.




I hope it helps.. Let me know

jemini0415 Fri, 09/24/2010 - 09:05
User Badges:

Ok, I have been studying inverse masks on the cisco site and I think I am understanding some of this. Since I want to give access to all 4 subnets couldn't I just change the existing ACL from:

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255


To:

access-list 199 permit ip 10.1.0.0 0.0.3.255 10.1.255.0 0.0.0.255


This should permit access to 10.1.0.0-10.1.3.255


I understand that I can add an ACL for each individual subnet but I don't need that much granularity. What is the best practice??


Thanks for your help!!!!

Diego Armando C... Mon, 09/27/2010 - 08:54
User Badges:
  • Bronze, 100 points or more

You need to be as granular as possible so be careful with the ACLs If you are going to permit acceso to only 3 or 4 network go ahead and add 3 or 4 ACL.

Remember the exeption in the router map for the NAT

jemini0415 Mon, 09/27/2010 - 09:09
User Badges:

OK, I just wanted to make sure that I understood how the inverse masks work. I have been in IT for several years but most of the time the routers were already setup. I have worked mostly for small companies so we usually just had one subnet. Its a testament to the reliability of the cisco products, I haven't learned anything because they rarely break! :-)  Oops...did I just jinx myself??


Thank you for the time you took in answering my question!!

Actions

This Discussion