Solved: VPN client can't get to inside network

djccisco · ‎05-02-2006

The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. From the client a ping replies back from the outside serial interface address failing.

Fernando_Meza · ‎05-04-2006

If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0

I hope it helps !!!

View solution in original post

Fernando_Meza · ‎05-02-2006

the below entry of your access-list bypasses NAT for 10.10.1.0/24 to 192.168.100.0/24 only ... is this what you want ... or do you want to bypass for 10.0.0.0/8 ..?

access-list 100 deny ip 10.10.1.0 0.0.0.255 192.168.100.0 0.0.0.255

if you need access to the whoel 10.0.0.0/16 range the you need to add

access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.100.0 0.0.0.255

but you also need to make sure that all your networks know the way back to the range allocated to the remote clients .. I am assuming is 192.68.100.0/24

I hope it helps ..please rate it if it does ..

djccisco · ‎05-03-2006

Thanks for the note on the 10.10 net. I may want to make some adjustment there. The VPN client can connect to anything in the DMZ 192.168.1.0/28 but when the client tries to go to the 10.10.1.0/24 it routes to the external serial interface instead of attempting to find 10.10.1.0/24 thru the DMZ across the 192.168.1.0/28. The route print on the client shows a route to the 10.10.1.x thru the local interface. The router can ping 10.10.1.x. Seems to me the VPN to routet routing is not working properly. It should route the request from the VPN client out the 192.168.1.1 interface thru the DMZ. Any ideas?

Fernando_Meza · ‎05-03-2006

Can I suggest removing the access-list acl 158 from the crypto isakmp client configuration part just for testing and try connecting again .. also can you post the output of your 'ipconfig /all' and 'route print' on the client once connected.

djccisco · ‎05-04-2006

Attached is the ipconfig and route print. On the inside network beyond the DMZ is a 10.10.0.0/16, 10.13.0.0/16, and 10.11.0.0/16.

Fernando_Meza · ‎05-04-2006

Cool ... can you please add the below entry on your accces-list 120 ...

access-list 120 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.255.255.255

I hope it helps ... please rate it if it does !!!

Fernando_Meza · ‎05-04-2006

If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0

I hope it helps !!!

djccisco · ‎05-05-2006

Thanks for the help. Your suggestions fixed the problem. I did a little extra cleanup of ACLs and added some VPN config settings for DNS etc and now it is working great.

Thanks again!

Fernando_Meza · ‎05-06-2006

great news !!