Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
3
Helpful
6
Replies

VPN connections: impossible to ping network's machines

MaCFoxtrot
Level 1
Level 1

‎03-09-2008 09:24 AM - edited ‎02-21-2020 03:36 PM

Hello,

I have configured a Cisco 857 device. I can connect to the internet. I can also establish VPN connections remotely.

However, once I have established a VPN connection, I cannot ping any system on the company LAN.

I have seen several posts on these forums but I couldn't configure properly my router.

I attach my config. Is it possible to know what corrections I should do?

My LAN IPs are 10.0.0.x with a subnet mask 255.0.0.0.

For my remote clients, I have now configured it to use 255.0.1.x.

Thanks and regards,

MaC

Labels:
0 Helpful
6 Replies 6

MaCFoxtrot
Level 1
Level 1

‎03-09-2008 10:08 AM

Here is the attachment...

Preview file
6 KB
0 Helpful

cisco24x7
Level 6
Level 6
In response to MaCFoxtrot

‎03-09-2008 10:31 AM

I can see in your configuration that you use

split-tunneling, which is fine.

However, I think you need add the following

line in the configuration so that your router

will NOT NAT traffics when going from 10.0.0.0/8 to 255.0.1.x/24:

no access-list 120

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.255.255.255 255.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

That way, the traffics from 10.0.0.0/8 will not be NATted when going to

255.0.1.0/24 for the VPN.

CCIE Security

MaCFoxtrot
Level 1
Level 1
In response to cisco24x7

‎03-09-2008 10:59 AM

Hello,

To what does 255.0.1.x/24 refer? Is this a special range?

Wouldn't you rather mean 10.0.1.x/8 as 10.0.1.x will be the IP of the clients?

Regards,

0 Helpful

MaCFoxtrot
Level 1
Level 1
In response to MaCFoxtrot

‎03-09-2008 11:23 AM

Correction to my first post: "For my remote clients, I have now configured it to use 10.0.1.x."

Regards,

0 Helpful

MaCFoxtrot
Level 1
Level 1
In response to MaCFoxtrot

‎03-09-2008 11:37 AM

Here is the current state of my access lists; still nothing working:

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

Regards,

0 Helpful

MaCFoxtrot
Level 1
Level 1

‎03-22-2008 03:50 AM

Hello,

The problem is now solved.

It was related to the fact that as well my company network and my VPN client pool were using IPs in the same subnet.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents