Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
3
Replies

VPN CLIENT CANT ACCESS INTERNAL NETWORK

r.kate
Level 1
Level 1

‎01-29-2003 08:19 AM - edited ‎02-21-2020 12:19 PM

Hi ,

I Can connect to my pix 515 over ipsec l2tp using win2k and get an internal ip address.The client is connecting to an ISP and then building a vpn to the pix .The pix has a single global IP say (200.200.200.4) and an internal ip say 10.100.100.4 and has a default route to the internet on the outside to a router say 200.200.200.1 .The office internal network connects to the internet using a router whose internal interface is say 10.100.100.251 and external is 200.200.200.23 and eventually routes packets to 200.200.200.1 and to the internet .

I have the follwing statements in the pix config .

sysopt connection permit-ipsec

sysopt connection permit-l2tp

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 200.200.200.1 1

access-list 90 permit ip 10.0.0.0 255.255.255.0 10.100.100.1.0 255.255.255.0

The only problem is I cant access anything from the vpn client . Any help appreciated .The type of access I am looking at is as if the client was on the inside .

Thanks

Raj

Labels:
0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎01-29-2003 08:08 PM

Hi,

What is the range of ip addresses that you are assigning to the remote users. For example if you assign a range 192.168.1.x/24, then your access-list 90 will look like:

nat (inside) 0 access-list 90

access-list 90 permit ip 10.100.100.0 255.255.255.0 192.168.1.0 255.255.255.0

Where,

10.100.100.x/24 is your internal subnet

192.168.1.x/24 is the pool of ip addresses assigned to clients.

And also make sure that your internal routing knows that it has to send the packets to the pix for the 192.168.1.x/24 subnet.

Regards,

Arul

0 Helpful

r.kate
Level 1
Level 1
In response to ajagadee

‎01-30-2003 01:01 AM

Hi Arul ,

I am assigning 10.100.100..118-10.100.100.190 as the pool for the clients .And 10.100.100.xx is the internal pool .

With the way things are internal routing knows how to send packets to a router whose internal is 10.100.100.251 and extl is 200.200.200.253 .

How can I do without disturbing exiting routing .

Thanks

Raj

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to r.kate

‎01-30-2003 01:34 PM

Hi Raj,

In this case, you can assign a different pool for your remote users and add a route on the router to send it to the pix for the pool that you define. This will make life easier.

Regards,

Arul

0 Helpful
Customers Also Viewed These Support Documents