Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn client lan connection problem

I have a vpn client connecting to a pix 515e , i get a vpn connection no problem but cannot ping anything on the internal network.

the local pool is 192.168.1.170-192.168.1.185 and the inside ip address of the pix is 192.168.1.10

any ideas ?

7 REPLIES
New Member

Re: vpn client lan connection problem

Could be something like your no-nat access list. Could you post your config so we can sanity check it? Don't forget to w.x.y.z the external ip addresses & xxx over your passwords :-)

New Member

Re: vpn client lan connection problem

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list vpn_to_belfast permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2

55.255.0

access-list vpn_to_belfast permit icmp any any

access-list vpn_to_belfast permit icmp any any echo

access-list vpn_to_belfast permit icmp any any echo-reply

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x y.y.y.y

ip address inside 192.168.1.10 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool jlsremote 192.168.1.171-192.168.1.185

pdm history enable

arp timeout 14400

nat (inside) 0 access-list vpn_to_belfast

access-group vpn_to_belfast in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool jlsremote

vpngroup vpn3000 default-domain xx

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password xxxx

vpngroup dns-server idle-time 1800

New Member

Re: vpn client lan connection problem

please see my config ,

we have a pix to pix vpn as well on this, hence the vpn_to_belfast access-lists as well.

intf2 is going to be used for internet access outbound where as ethernet0 is going to be used for vpn tunnel from pix to pix and also vpn clients version 4 coming in over this interface..

any ideas ?

New Member

Re: vpn client lan connection problem

Hello,

Your remote pool is from the same IP network than your internal interface, so you have to add the static for this pool going to outside or (recomanded) change the pool to some other IP network - 192.168.3.x.

As for using one interface for internet and second for VPN, is your client connecting from the same Public IP? Than this is possible, otherwise not.

Regards,

Daniel

New Member

Re: vpn client lan connection problem

Hi,

I have tried changing my local pool to 192.168.3.1-192.168.3.15.

and also added a static route to get to 192.168.3.0 255.255.255.0 go to the next hop but I am still being able to connect via the vpn but cannot ping anything on the inside network.

the vpn client is not using the same public ip address as the vpn tunnel, the clients will be accessing from home the vpn but the other vpn tunnel we are using is from a remote site.

any other ideas ?

New Member

Re: vpn client lan connection problem

What is the default gateway for the clients in internal network? Pix or router?

Regards,

Daniel

New Member

Re: vpn client lan connection problem

the vpn client is set up to access the pix which has a direct connection out to a broadband box.

the vpn client gets connected but no traffic is passed.

i have a default route in the pix to say to get to anywhere go to the next hop which is the broadband managed box

when i dial in and get connected via vpn client, the gateway is itself by the look of it.

I have tried to add a static route into the pix to say to get to 192.168.3.0 go to the next hop as well.

no joy

any ideas

103
Views
0
Helpful
7
Replies
CreatePlease login to create content