Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN client can't get to inside network

The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. From the client a ping replies back from the outside serial interface address failing.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN client can't get to inside network

If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0

I hope it helps !!!

8 REPLIES

Re: VPN client can't get to inside network

the below entry of your access-list bypasses NAT for 10.10.1.0/24 to 192.168.100.0/24 only ... is this what you want ... or do you want to bypass for 10.0.0.0/8 ..?

access-list 100 deny ip 10.10.1.0 0.0.0.255 192.168.100.0 0.0.0.255

if you need access to the whoel 10.0.0.0/16 range the you need to add

access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.100.0 0.0.0.255

but you also need to make sure that all your networks know the way back to the range allocated to the remote clients .. I am assuming is 192.68.100.0/24

I hope it helps ..please rate it if it does ..

New Member

Re: VPN client can't get to inside network

Thanks for the note on the 10.10 net. I may want to make some adjustment there. The VPN client can connect to anything in the DMZ 192.168.1.0/28 but when the client tries to go to the 10.10.1.0/24 it routes to the external serial interface instead of attempting to find 10.10.1.0/24 thru the DMZ across the 192.168.1.0/28. The route print on the client shows a route to the 10.10.1.x thru the local interface. The router can ping 10.10.1.x. Seems to me the VPN to routet routing is not working properly. It should route the request from the VPN client out the 192.168.1.1 interface thru the DMZ. Any ideas?

Re: VPN client can't get to inside network

Can I suggest removing the access-list acl 158 from the crypto isakmp client configuration part just for testing and try connecting again .. also can you post the output of your 'ipconfig /all' and 'route print' on the client once connected.

New Member

Re: VPN client can't get to inside network

Attached is the ipconfig and route print. On the inside network beyond the DMZ is a 10.10.0.0/16, 10.13.0.0/16, and 10.11.0.0/16.

Re: VPN client can't get to inside network

Cool ... can you please add the below entry on your accces-list 120 ...

access-list 120 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.255.255.255

I hope it helps ... please rate it if it does !!!

Re: VPN client can't get to inside network

If you are still having problems .. can you check that there is a static route fro 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert from a hosts on the 10.10.X.X network to 192.168.100.7 and see how far it goes .. your tests show that the VPN client knows how to get to that subnet but it looks like there is a routing issue between 10.X.X.X going to 192.168.100.0

I hope it helps !!!

New Member

Re: VPN client can't get to inside network

Thanks for the help. Your suggestions fixed the problem. I did a little extra cleanup of ACLs and added some VPN config settings for DNS etc and now it is working great.

Thanks again!

Re: VPN client can't get to inside network

great news !!

134
Views
2
Helpful
8
Replies
CreatePlease to create content