cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
510
Views
0
Helpful
3
Replies

Remote lan is not running

Amardeep Kumar
Level 1
Level 1

HI

I have setup a remote vpn on PIX 506 e with aaa-server radius. I am able to connect via AD users.

But When I connect to remote network my local lan and internet runs properly but I can not access remote lan.

Please help

PIX 506e 6.3

access-list outside_20_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list mcstunnel permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.25
5.0

ip local pool mobile1 192.168.5.1-192.168.5.255

aaa-server RADIUS protocol radius


aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.1.10 cisco123 timeout 5

sysopt connection permit-ipsec


crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac

crypto dynamic-map outside_map 10 set transform-set ESP-3DES-SHA


crypto map outside_map 10 ipsec-isakmp dynamic outside_map


crypto map outside_map client authentication partnerauth


crypto map outside_map interface outside


isakmp enable outside
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400


vpngroup mcsvpn address-pool mobile1
vpngroup mcsvpn  dns-server 192.168.1.10
vpngroup mcsvpn  wins-server 192.168.1.10
vpngroup mcsvpn  default-domain myf.com
vpngroup mcsvpn  idle-time 1800
vpngroup mcsvpn  password 12345

thanks

Amardeep

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

When you say, you can't access remote LAN, you mean you can't access 192.168.1.0/24 network (behind the PIX), right?

Can you share your NAT exemption configuration?

You would need to have the following:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list nonat

If you already have those, please kindly share the config to see what could be the issue.

Hope that helps.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

When you say, you can't access remote LAN, you mean you can't access 192.168.1.0/24 network (behind the PIX), right?

Can you share your NAT exemption configuration?

You would need to have the following:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list nonat

If you already have those, please kindly share the config to see what could be the issue.

Hope that helps.

Namit Agarwal
Cisco Employee
Cisco Employee

Hi Amardeep,

Please provide the following info

1) the use of ACL mcstunnel

2) the NAT config

3) Are you using split tunnel, please provide the screenshot of the route details on the vpn client screen after you connect to the VPN.

   You can view the route details under Status > Statistics > Route Details

Regards,

Namit

Thanks

Now this is working. I did not make a good access list. Now this is fine.

Thanks

Amardeep Rana

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: