09-23-2010 12:04 PM
I am a total newbie when it comes to cisco and routing, so forgive me if this has been answered before.
We have a cisco 2821 router that is supporting VPN connections. Our LAN is a /22 (255.255.252.0) xxx.xxx.0 .0 xxx.xxx.1.0 xxx.xxx.2.0 xxx.xxx.3.0 subnets. I can connect through VPN and I can access my xxx.xxx.1.0 subnet with no problems. However, I cannot access the xxx.xxx.2.0 and xxx.xxx.3.0 subnets.
I don't even know where to start. I have seen similiar threads, but I need it "dumbed down" for me. Preferably solutions that I can apply through the SDM. I am terrible with the CLS.
Thank you for any help provided!! :-)
Solved! Go to Solution.
09-24-2010 07:36 AM
Here it is
access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255
your clients are getting the address pool of 10.1.255.0 0.0.0.255
to permit access to any other network in your lan from the vpn client
access-list 199 permit ip
You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action since you are using nat
access-list 104 deny ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255
notice that you are using a deny and that is to tell the router to do NO NAT that traffic.
I hope it helps.. Let me know
09-23-2010 02:12 PM
What kind of VPn is it? A site.to-site vpn? Check the ACL for the interesting traffic and your no-nat. If it's a Remote VPN that uses a VPN cliente chen check the ACL for Split tunnel. Post the current config that way we will be able to help you.
09-23-2010 04:31 PM
09-24-2010 07:36 AM
Here it is
access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255
your clients are getting the address pool of 10.1.255.0 0.0.0.255
to permit access to any other network in your lan from the vpn client
access-list 199 permit ip
You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action since you are using nat
access-list 104 deny ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255
notice that you are using a deny and that is to tell the router to do NO NAT that traffic.
I hope it helps.. Let me know
09-24-2010 09:05 AM
Ok, I have been studying inverse masks on the cisco site and I think I am understanding some of this. Since I want to give access to all 4 subnets couldn't I just change the existing ACL from:
access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255
To:
access-list 199 permit ip 10.1.0.0 0.0.3.255 10.1.255.0 0.0.0.255
This should permit access to 10.1.0.0-10.1.3.255
I understand that I can add an ACL for each individual subnet but I don't need that much granularity. What is the best practice??
Thanks for your help!!!!
09-27-2010 08:54 AM
You need to be as granular as possible so be careful with the ACLs If you are going to permit acceso to only 3 or 4 network go ahead and add 3 or 4 ACL.
Remember the exeption in the router map for the NAT
09-27-2010 09:09 AM
OK, I just wanted to make sure that I understood how the inverse masks work. I have been in IT for several years but most of the time the routers were already setup. I have worked mostly for small companies so we usually just had one subnet. Its a testament to the reliability of the cisco products, I haven't learned anything because they rarely break! :-) Oops...did I just jinx myself??
Thank you for the time you took in answering my question!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: