05-02-2006 01:47 PM - edited 02-21-2020 02:23 PM
The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. From the client a ping replies back from the outside serial interface address failing.
Solved! Go to Solution.
05-04-2006 04:43 PM
If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0
I hope it helps !!!
05-02-2006 05:56 PM
the below entry of your access-list bypasses NAT for 10.10.1.0/24 to 192.168.100.0/24 only ... is this what you want ... or do you want to bypass for 10.0.0.0/8 ..?
access-list 100 deny ip 10.10.1.0 0.0.0.255 192.168.100.0 0.0.0.255
if you need access to the whoel 10.0.0.0/16 range the you need to add
access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.100.0 0.0.0.255
but you also need to make sure that all your networks know the way back to the range allocated to the remote clients .. I am assuming is 192.68.100.0/24
I hope it helps ..please rate it if it does ..
05-03-2006 06:37 AM
Thanks for the note on the 10.10 net. I may want to make some adjustment there. The VPN client can connect to anything in the DMZ 192.168.1.0/28 but when the client tries to go to the 10.10.1.0/24 it routes to the external serial interface instead of attempting to find 10.10.1.0/24 thru the DMZ across the 192.168.1.0/28. The route print on the client shows a route to the 10.10.1.x thru the local interface. The router can ping 10.10.1.x. Seems to me the VPN to routet routing is not working properly. It should route the request from the VPN client out the 192.168.1.1 interface thru the DMZ. Any ideas?
05-03-2006 04:57 PM
Can I suggest removing the access-list acl 158 from the crypto isakmp client configuration part just for testing and try connecting again .. also can you post the output of your 'ipconfig /all' and 'route print' on the client once connected.
05-04-2006 10:25 AM
05-04-2006 04:33 PM
Cool ... can you please add the below entry on your accces-list 120 ...
access-list 120 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.255.255.255
I hope it helps ... please rate it if it does !!!
05-04-2006 04:43 PM
If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0
I hope it helps !!!
05-05-2006 11:15 AM
Thanks for the help. Your suggestions fixed the problem. I did a little extra cleanup of ACLs and added some VPN config settings for DNS etc and now it is working great.
Thanks again!
05-06-2006 01:40 PM
great news !!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: