cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
6
Replies

Cannot access all subnets while connected by VPN

jemini0415
Level 1
Level 1

I am a total newbie when it comes to cisco and routing, so forgive me if this has been answered before.

We have a cisco 2821 router that is supporting VPN connections. Our LAN is a /22 (255.255.252.0) xxx.xxx.0 .0 xxx.xxx.1.0 xxx.xxx.2.0 xxx.xxx.3.0 subnets. I can connect through VPN and I can access my xxx.xxx.1.0 subnet with no problems. However, I cannot access the xxx.xxx.2.0 and xxx.xxx.3.0 subnets.

I don't even know where to start. I have seen similiar threads, but I need it "dumbed down" for me. Preferably solutions that I can apply through the SDM. I am terrible with the CLS.

Thank you for any help provided!! :-)

1 Accepted Solution

Accepted Solutions

Here it is

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

your clients are getting the address pool of 10.1.255.0 0.0.0.255

to permit access to any other network in your lan from the vpn client

access-list 199 permit ip    10.1.255.0 0.0.0.255

You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat

access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

notice that you are using a deny and that is to tell the router to do NO NAT that traffic.

I hope it helps.. Let me know

View solution in original post

6 Replies 6

What kind of VPn is it? A site.to-site vpn? Check the ACL for the interesting traffic and your no-nat. If it's a Remote VPN that uses a VPN cliente chen check the ACL for Split tunnel.  Post the current config that way we will be able to help you.

Please see attached running config. It appears that we are using EasyVPN server. We use the cisco client to connect. My guess is that ACL 199 is the one that is constraining the subnet access, however I don't quite understand the format. Thank you for your help!!!!

Here it is

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

your clients are getting the address pool of 10.1.255.0 0.0.0.255

to permit access to any other network in your lan from the vpn client

access-list 199 permit ip    10.1.255.0 0.0.0.255

You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat

access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

notice that you are using a deny and that is to tell the router to do NO NAT that traffic.

I hope it helps.. Let me know

Ok, I have been studying inverse masks on the cisco site and I think I am understanding some of this. Since I want to give access to all 4 subnets couldn't I just change the existing ACL from:

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

To:

access-list 199 permit ip 10.1.0.0 0.0.3.255 10.1.255.0 0.0.0.255

This should permit access to 10.1.0.0-10.1.3.255

I understand that I can add an ACL for each individual subnet but I don't need that much granularity. What is the best practice??

Thanks for your help!!!!

You need to be as granular as possible so be careful with the ACLs If you are going to permit acceso to only 3 or 4 network go ahead and add 3 or 4 ACL.

Remember the exeption in the router map for the NAT

OK, I just wanted to make sure that I understood how the inverse masks work. I have been in IT for several years but most of the time the routers were already setup. I have worked mostly for small companies so we usually just had one subnet. Its a testament to the reliability of the cisco products, I haven't learned anything because they rarely break! :-)  Oops...did I just jinx myself??

Thank you for the time you took in answering my question!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: