Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN CLIENT CANT ACCESS INTERNAL NETWORK

Hi ,

I Can connect to my pix 515 over ipsec l2tp using win2k and get an internal ip address.The client is connecting to an ISP and then building a vpn to the pix .The pix has a single global IP say (200.200.200.4) and an internal ip say 10.100.100.4 and has a default route to the internet on the outside to a router say 200.200.200.1 .The office internal network connects to the internet using a router whose internal interface is say 10.100.100.251 and external is 200.200.200.23 and eventually routes packets to 200.200.200.1 and to the internet .

I have the follwing statements in the pix config .

sysopt connection permit-ipsec

sysopt connection permit-l2tp

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 200.200.200.1 1

access-list 90 permit ip 10.0.0.0 255.255.255.0 10.100.100.1.0 255.255.255.0

The only problem is I cant access anything from the vpn client . Any help appreciated .The type of access I am looking at is as if the client was on the inside .

Thanks

Raj

3 REPLIES
Cisco Employee

Re: VPN CLIENT CANT ACCESS INTERNAL NETWORK

Hi,

What is the range of ip addresses that you are assigning to the remote users. For example if you assign a range 192.168.1.x/24, then your access-list 90 will look like:

nat (inside) 0 access-list 90

access-list 90 permit ip 10.100.100.0 255.255.255.0 192.168.1.0 255.255.255.0

Where,

10.100.100.x/24 is your internal subnet

192.168.1.x/24 is the pool of ip addresses assigned to clients.

And also make sure that your internal routing knows that it has to send the packets to the pix for the 192.168.1.x/24 subnet.

Regards,

Arul

New Member

Re: VPN CLIENT CANT ACCESS INTERNAL NETWORK

Hi Arul ,

I am assigning 10.100.100..118-10.100.100.190 as the pool for the clients .And 10.100.100.xx is the internal pool .

With the way things are internal routing knows how to send packets to a router whose internal is 10.100.100.251 and extl is 200.200.200.253 .

How can I do without disturbing exiting routing .

Thanks

Raj

Cisco Employee

Re: VPN CLIENT CANT ACCESS INTERNAL NETWORK

Hi Raj,

In this case, you can assign a different pool for your remote users and add a route on the router to send it to the pix for the pool that you define. This will make life easier.

Regards,

Arul

287
Views
0
Helpful
3
Replies