Was the second modification supposed to be:

access-list 102 permit 192.168.2.0 0.0.0.255 any

instead of:

access-list 102 permit 192.168.1.0 0.0.0.255 any

?

No it should be 192.168.1.0 0.0.0.255 any

This should help reach ur internal servers. You can also try something like this

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.240 any

This will help the clients reach the internet and the internal servers. Let me know if it helped

Thanks for your reply. After your first post I tried modifing the access list to:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

But that didn't help. Since than I also tried:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

With the list like this I can VPN and ping "internal" hosts while I am connected using vpnc on my laptop running Linux but if I VPN using Cisco Client 4.6 on Windows machine I cannot ping any hosts (or router interface) that are on the inside.

Also, before your first response I was playing around and I added to my original configuration:

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

(notice different access list number)

And that gave me the same results I get right now, which is really confusing because I thought that access list is not in affect untill it is applied to an interface. Just to be clear I have removed the access list 103 before making changes you sugested. Thanks for your help...

You say you couldnt ping with Windows Client. Just wondering if it is an issue with the Windows Firewall. Can you disable it and check ?

on top of the acl 102, split tunneling needs to be configured on the router as well.

e.g.

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto isakmp client configuration group ntdlab_vpn

acl 199

I will check for Windows firewall on the computer that was running Cisco VPN Client as soon as I get back to the office.

As far as split tunnel goes, I am not sure why is it necessary to set it up? Can you elaborate please?

Thanks.

with split tunneling configured, the router will push the policy to the client during ipsec vpn establishment. the policy is then used by the client to determine what sort of traffic should be encrypted and sent via the vpn. without split tunneling, all traffic generated by client will be encrypted and sent via the vpn regardless the destination.

on the other hand, with split tunneling, traffic with destination rather than the hq will not be considered as interesting traffics. and hence, traffic destined for the client local subnet will not be encrypted and sent to the router, including the internet.

still no luck... with split-tunnel VPN clients can connect to the Internet but not to any of the local resources... i noticed this entry when i 'show run':

ip access-list extended UNKNOWN

i am not sure what it is or if it is in any way related to my problem... thanks

Did u try the Windows firewall as well ?

please post the entire config with public ip masked for further assistance.

i did try connecting with windows firewall disabled and that didn't make much difference. currently i can ping the "inside" interface of the router after i VPN but cannot ping any other host on the "inside" or connect to them in any other way. here is an updated "show run" of my route. thanks everyone for help!

version 12.3

service config

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ntdlab

!

no logging buffered

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

username xxxxxxxxx secret 5 xxxxxxxxxxxxxxxxxxxxxxxx

clock timezone EST -6

aaa new-model

!

!

aaa authentication login user_list local

aaa authorization network group_list local

aaa session-id common

ip subnet-zero

ip domain name ntdlab.local

ip name-server 10.10.10.11

ip name-server 10.10.10.12

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool lan_dhcp_pool

network 192.168.1.0 255.255.255.0

dns-server 10.10.10.11 10.10.10.12

domain-name ntdlab.local

default-router 192.168.1.1

!

ip dhcp pool lan_vpn_pool

default-router 192.168.1.1

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ntdlab_vpn

key 0 xxxxxxxxxxxxxx

dns 10.10.10.11 10.10.10.12

domain ntdlab.local

pool vpn_dhcp_pool

acl 199

!

!

crypto ipsec transform-set 3des_sha_set esp-3des esp-sha-hmac

!

crypto dynamic-map ntd_map 1

set transform-set 3des_sha_set

!

!

crypto map ntd_map client authentication list user_list

crypto map ntd_map isakmp authorization list group_list

crypto map ntd_map client configuration address respond

crypto map ntd_map 1 ipsec-isakmp dynamic ntd_map

!

!

!

!

interface Ethernet0

description Lab inside interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

no cdp enable

!

interface Ethernet1

description Lab outside interface

ip address 10.10.10.48 255.255.255.0

ip nat outside

duplex auto

no cdp enable

crypto map ntd_map

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip local pool vpn_dhcp_pool 192.168.2.100 192.168.2.110

ip nat inside source list 102 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

no ip http server

no ip http secure-server

!

!

ip access-list extended UNKNOWN

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended protocol

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty0

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

no cdp run

!

line con 0

exec-timeout 0 0

password 7 xxxxxxxxxxxxxxx

logging synchronous

no modem enable

line aux 0

password 7 xxxxxxxxxxxxxxx

line vty 0 4

password 7 xxxxxxxxxxxxxxx

!

scheduler max-task-time 5000

!

end

Do u have a inside routers..??? o switch's..???

If the answer is yes u must to define a route to reach the pool addreses 192.168.2.100 192.168.2.110 thru the inside interface (since you can ping the inside interface from the remote). I hope it helps...

i have a router (some Linksys "home-user" type) not connected to outside (as this is testing environment) with inside interface 10.10.10.1. my laptop and and Cisco 831 are both behind this Linksys router. Cisco router has a web server behind also just for testing purposes. when i VPN i cannot access the web server behind the Cisco. thanks for reply...