03-02-2006 10:15 AM - edited 02-21-2020 02:17 PM
Remote users (Cisco VPN Client) can't access internal resources after they VPN. They cannot access the Internet either (but that's not really a problem). Trace route from the remote pc to www.google.com stops at WAN interface of the 831. Help is appreciated...
version 12.3
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxx
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxx
!
username xxxxxx secret 5 xxxxxxxxxxxxxxxxxx
clock timezone EST -6
aaa new-model
!
!
aaa authentication login user_list local
aaa authorization network group_list local
aaa session-id common
!
ip subnet-zero
ip domain name xxxxxxxxxxxx
ip name-server 10.10.10.11
ip name-server 10.10.10.12
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ntdlab_vpn
key 0 xxxxxxxxxxxxxxx
dns 10.10.10.11 10.10.10.12
domain xxxxxxx
pool vpn_dhcp_pool
!
!
crypto ipsec transform-set 3des_sha_set esp-3des esp-sha-hmac
!
crypto dynamic-map ntd_map 1
set transform-set 3des_sha_set
!
!
crypto map ntd_map client authentication list user_list
crypto map ntd_map isakmp authorization list group_list
crypto map ntd_map client configuration address respond
crypto map ntd_map 1 ipsec-isakmp dynamic ntd_map
!
!
!
!
interface Ethernet0
description Lab inside interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
no cdp enable
!
interface Ethernet1
description Lab outside interface
ip address 10.10.10.48 255.255.255.0
ip nat outside
duplex auto
no cdp enable
crypto map ntd_map
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool vpn_dhcp_pool 192.168.2.100 192.168.2.110
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
no ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxx
logging synchronous
no modem enable
line aux 0
password 7 xxxxxxxxxxx
line vty 0 4
password 7 xxxxxxxxxxx
!
scheduler max-task-time 5000
!
end
03-02-2006 09:02 PM
Can you modify the access-list 102 to something like this
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.96 0.0.0.240
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
You will not be able to browse the Net cause you are natting the 192.168.2.x IP when you back to the internet. Let me know if it helps
03-03-2006 03:11 PM
Was the second modification supposed to be:
access-list 102 permit 192.168.2.0 0.0.0.255 any
instead of:
access-list 102 permit 192.168.1.0 0.0.0.255 any
?
03-03-2006 08:00 PM
No it should be 192.168.1.0 0.0.0.255 any
This should help reach ur internal servers. You can also try something like this
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.240 any
This will help the clients reach the internet and the internal servers. Let me know if it helped
03-03-2006 08:48 PM
Thanks for your reply. After your first post I tried modifing the access list to:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
But that didn't help. Since than I also tried:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
With the list like this I can VPN and ping "internal" hosts while I am connected using vpnc on my laptop running Linux but if I VPN using Cisco Client 4.6 on Windows machine I cannot ping any hosts (or router interface) that are on the inside.
Also, before your first response I was playing around and I added to my original configuration:
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
(notice different access list number)
And that gave me the same results I get right now, which is really confusing because I thought that access list is not in affect untill it is applied to an interface. Just to be clear I have removed the access list 103 before making changes you sugested. Thanks for your help...
03-04-2006 02:18 AM
You say you couldnt ping with Windows Client. Just wondering if it is an issue with the Windows Firewall. Can you disable it and check ?
03-04-2006 05:35 AM
on top of the acl 102, split tunneling needs to be configured on the router as well.
e.g.
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto isakmp client configuration group ntdlab_vpn
acl 199
03-04-2006 08:21 AM
I will check for Windows firewall on the computer that was running Cisco VPN Client as soon as I get back to the office.
As far as split tunnel goes, I am not sure why is it necessary to set it up? Can you elaborate please?
Thanks.
03-04-2006 04:53 PM
with split tunneling configured, the router will push the policy to the client during ipsec vpn establishment. the policy is then used by the client to determine what sort of traffic should be encrypted and sent via the vpn. without split tunneling, all traffic generated by client will be encrypted and sent via the vpn regardless the destination.
on the other hand, with split tunneling, traffic with destination rather than the hq will not be considered as interesting traffics. and hence, traffic destined for the client local subnet will not be encrypted and sent to the router, including the internet.
03-06-2006 02:04 PM
still no luck... with split-tunnel VPN clients can connect to the Internet but not to any of the local resources... i noticed this entry when i 'show run':
ip access-list extended UNKNOWN
i am not sure what it is or if it is in any way related to my problem... thanks
03-06-2006 07:56 PM
Did u try the Windows firewall as well ?
03-06-2006 09:10 PM
please post the entire config with public ip masked for further assistance.
03-07-2006 06:37 AM
i did try connecting with windows firewall disabled and that didn't make much difference. currently i can ping the "inside" interface of the router after i VPN but cannot ping any other host on the "inside" or connect to them in any other way. here is an updated "show run" of my route. thanks everyone for help!
version 12.3
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ntdlab
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxxx secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
clock timezone EST -6
aaa new-model
!
!
aaa authentication login user_list local
aaa authorization network group_list local
aaa session-id common
ip subnet-zero
ip domain name ntdlab.local
ip name-server 10.10.10.11
ip name-server 10.10.10.12
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool lan_dhcp_pool
network 192.168.1.0 255.255.255.0
dns-server 10.10.10.11 10.10.10.12
domain-name ntdlab.local
default-router 192.168.1.1
!
ip dhcp pool lan_vpn_pool
default-router 192.168.1.1
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ntdlab_vpn
key 0 xxxxxxxxxxxxxx
dns 10.10.10.11 10.10.10.12
domain ntdlab.local
pool vpn_dhcp_pool
acl 199
!
!
crypto ipsec transform-set 3des_sha_set esp-3des esp-sha-hmac
!
crypto dynamic-map ntd_map 1
set transform-set 3des_sha_set
!
!
crypto map ntd_map client authentication list user_list
crypto map ntd_map isakmp authorization list group_list
crypto map ntd_map client configuration address respond
crypto map ntd_map 1 ipsec-isakmp dynamic ntd_map
!
!
!
!
interface Ethernet0
description Lab inside interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
no cdp enable
!
interface Ethernet1
description Lab outside interface
ip address 10.10.10.48 255.255.255.0
ip nat outside
duplex auto
no cdp enable
crypto map ntd_map
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool vpn_dhcp_pool 192.168.2.100 192.168.2.110
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
no ip http server
no ip http secure-server
!
!
ip access-list extended UNKNOWN
ip access-list extended addr-pool
ip access-list extended default-domain
ip access-list extended protocol
ip access-list extended service
ip access-list extended timeout
ip access-list extended tty0
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.240
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no cdp run
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxx
logging synchronous
no modem enable
line aux 0
password 7 xxxxxxxxxxxxxxx
line vty 0 4
password 7 xxxxxxxxxxxxxxx
!
scheduler max-task-time 5000
!
end
03-07-2006 01:45 PM
Do u have a inside routers..??? o switch's..???
If the answer is yes u must to define a route to reach the pool addreses 192.168.2.100 192.168.2.110 thru the inside interface (since you can ping the inside interface from the remote). I hope it helps...
03-09-2006 08:35 AM
i have a router (some Linksys "home-user" type) not connected to outside (as this is testing environment) with inside interface 10.10.10.1. my laptop and and Cisco 831 are both behind this Linksys router. Cisco router has a web server behind also just for testing purposes. when i VPN i cannot access the web server behind the Cisco. thanks for reply...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide