Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VPN clients cannot access to non-native vlans

Hi, I have configured a 877 as a Easy VPN server. When a client connects to the VPN we can only reach the native vlan:

VPN clients: 192.168.2.0/24

VLAN 1(native): 192.168.1.0/24

VLAN 100 (voice): 192.168.100.0/24

There must be something wrong in the config, but I can't find the error. This is my config:

aaa new-model

!

!

aaa group server radius sdm_vpn_xauth_ml_1

server 192.168.1.201 auth-port 1645 acct-port 1646

!

aaa group server radius sdm_vpn_group_ml_1

server 192.168.1.201 auth-port 1645 acct-port 1646

!

aaa authentication login sdm_vpn_xauth_ml_1 group radius local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

aaa session-id common

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool DHCP_pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.2

dns-server 192.168.1.3 80.58.61.250 80.58.61.254

netbios-name-server 192.168.1.3

domain-name nirgal.es

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name nirgal

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNNirgal

key 08nirgal0708

dns 192.168.1.3

wins 192.168.1.3

domain nirgal

pool SDM_POOL_1

acl 100

max-users 254

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group VPNNirgal

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-AES128-SHA

set isakmp-profile sdm-ike-profile-1

!

!

archive

log config

hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address <public ip> <netmask>

ip nat outside

ip virtual-reassembly

pvc 8/32

encapsulation aal5snap

!

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

ip unnumbered ATM0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description LOCAL LAN

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 <next hop public ip>

ip route 0.0.0.0 0.0.0.0 192.168.1.252 2

ip route 192.168.100.5 255.255.255.255 192.168.100.254

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map No_NAT interface ATM0.1 overload

!

!

access-list 100 remark VPN_CLIENTE

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 remark NAT_INSIDE_VPN

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

no cdp run

!

!

route-map No_NAT permit 1

match ip address 101

!

radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key 7 <key>

!

Thanks.

1 REPLY

Re: VPN clients cannot access to non-native vlans

Any solution?

Thanks.

126
Views
0
Helpful
1
Replies