Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN: one is working, the other is not...

I have several interfaces:

  • outside
  • inside(192.168.0.0/24)
  • wifi(192.168.101.0/24)
  • haklab(10.10.10.0/24)

Currently I have remote access anyconnect users who are able to VPN in and get access to the outside internet and inside devices.

I am trying to add another VPN config to allow users to connect to the haklab resources from the outside. 

Currently they are able to connect to the VPN and access outside resources, but they are unable to see any of the devices on the inside.    

I have created a user, pronto which should be forced in recieving the mdc3 connection profile which assigns them an IP address from my DHCP server which is also on that lan segment.  The VPN users are currently reciving an address from DHCP. In my case 10.10.10.20 was assigned to pronto when he VPN'd in.

My goal is to determine why pronto can't access any of the devices on the haklab interface

Here is the full config:

https://gist.github.com/3333437

ASDM VIEW ACCESS: just PM me and Ill create an account.

relevant snippets:

object network MDC3_VPN

subnet 10.10.10.200 255.255.255.248

access-list haklab_access_in extended permit ip object MDC3_VPN interface HAKlab

ip local pool mdc3_VPN 10.10.10.200-10.10.10.240 mask 255.255.255.0

nat (inside,outside) source static HAK_LAB HAK_LAB destination static MDC3_VPN MDC3_VPN

nat (outside,outside) after-auto source dynamic MDC3_VPN interface

username pronto password xxxxxxxx encrypted

username pronto attributes

vpn-group-policy mdc3_policy

group-lock value mdc3

service-type remote-access

webvpn

  anyconnect profiles value MDC3 type user

anyconnect profiles MDC3 disk0:/mdc3.xml

tunnel-group mdc3 type remote-access

tunnel-group mdc3 general-attributes

address-pool mdc3_VPN

default-group-policy mdc3_policy

dhcp-server subnet-selection 10.10.10.25

tunnel-group mdc3 webvpn-attributes

group-alias mdc3 enable

group-policy mdc3_policy internal

group-policy mdc3_policy attributes

wins-server none

dns-server value 10.10.10.25 4.2.2.2

vpn-tunnel-protocol ikev2 ssl-client

default-domain value mdc3.net

webvpn

  anyconnect profiles value MDC3 type user

1 REPLY
Cisco Employee

VPN: one is working, the other is not...

Hi Daniel.

I am trying to figure out what are you trying to achive by this ACL?

"access-list haklab_access_in extended permit ip object MDC3_VPN interface HAKlab"

Why not use the below since you want to access all resources behind HAKlab.

access-list haklab_access_in extended permitip object MDC3_VPN any

HTH

Zubair

229
Views
0
Helpful
1
Replies