Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

accessing other subnets(vpn Client)

I have a working vnp tunnel. I can access only the local lan connected to pix inside_if. Wins is working fine and I can browse using netbios. The issue i have is that i cannot access other networks or subnets beside the one that is connected to pix. How can fix this and access the other networks.

Thanks in advance

11 REPLIES
Silver

Re: accessing other subnets(vpn Client)

Pleae explain your topology (how are those other subnets routed to the pix). Also, post your crypto ACLs. It could be that you just need to edit your crypto ACLs to include the other subnets.

New Member

Re: accessing other subnets(vpn Client)

I have 3640 w/2 eth_if, 5 wan connections, default Gateway pointing to pix inside_IF and running ripV.1. The pix sees all of the diffrent subnets via rip. AS far as crypto. can you elaborate some more.

Thanks

Silver

Re: accessing other subnets(vpn Client)

There are access control lists (ACLs) that are using in crypto map statements to determine which traffic must be encrypted.

Post your pix config, but remove the password lines. Let us know what subnets you would like the vpn clients to be able to access

New Member

Re: accessing other subnets(vpn Client)

Here is the config. Need access to following subnets 192.168.10.0 -192.168.60.0

access-list vpn_clients permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0

nat (inside) 0 access-list vpn_clients

:

ip local pool vpn_clients_mis 192.168.7.1-192.168.7.30

:

sysopt connection permit-ipsec

crypto ipsec transform-set bscuset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set bscuset

:

crypto map bscumap 30 ipsec-isakmp dynamic dynmap

crypto map bscumap interface outside

:

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 8640

:

vpngroup vpn_mis address-pool vpn_clients_mis

vpngroup vpn_mis dns-server 192.168.0.43

vpngroup vpn_mis wins-server 192.168.0.80

vpngroup vpn_mis default-domain *******

vpngroup vpn_mis idle-time 1800

vpngroup vpn_mis password **********

Silver

Re: accessing other subnets(vpn Client)

Your access-list vpn_clients list only includes 192.168.0.0/24. So traffic returning from 192.168.10.0/24 and 192.168.60.0/24 to vpn clients would be natted, and that might break things. You should try adding :

access-list vpn_clients permit ip 192.168.10.0 255.255.255.0 192.168.7.0 255.255.255.0

to your config, and then have a vpn test user try accessing resources on the 192.168.10.0 network. If that works, then you will need to add additional lines to the vpn_clients ACL to disable nat selectively

New Member

Re: accessing other subnets(vpn Client)

I added the other subnets. I am only seeing the 192.168.0.0/24 network as secured network not the other s I added.

Silver

Re: accessing other subnets(vpn Client)

Try reentering - isakmp enable outside - sometimes you need to force the pix to reread the configuration for it

New Member

Re: accessing other subnets(vpn Client)

FYI

when I entered the nat 0 access-list no_nat, I get this message:"access-list protocol or port will not be used". sh ru display the command

New Member

Re: accessing other subnets(vpn Client)

I had posted the config. what do you thinK.

New Member

Re: accessing other subnets(vpn Client)

On your inside router do you have a rout back to the pix for the VPN traffic?

New Member

Re: accessing other subnets(vpn Client)

yes, they share interfaces in the same subnet(192.168.0.0/24) and the router's default gateway is the pix's inside_if.

I can see the all other subnets with sh route on pix via rip.

from the vpn clients, I can only access (192.168.0.0/24).

Thanks

143
Views
0
Helpful
11
Replies
CreatePlease login to create content