Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot access all subnets while connected by VPN

I am a total newbie when it comes to cisco and routing, so forgive me if this has been answered before.

We have a cisco 2821 router that is supporting VPN connections. Our LAN is a /22 (255.255.252.0) xxx.xxx.0 .0 xxx.xxx.1.0 xxx.xxx.2.0 xxx.xxx.3.0 subnets. I can connect through VPN and I can access my xxx.xxx.1.0 subnet with no problems. However, I cannot access the xxx.xxx.2.0 and xxx.xxx.3.0 subnets.

I don't even know where to start. I have seen similiar threads, but I need it "dumbed down" for me. Preferably solutions that I can apply through the SDM. I am terrible with the CLS.

Thank you for any help provided!! :-)

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cannot access all subnets while connected by VPN

Here it is

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

your clients are getting the address pool of 10.1.255.0 0.0.0.255

to permit access to any other network in your lan from the vpn client

access-list 199 permit ip    10.1.255.0 0.0.0.255

You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat

access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

notice that you are using a deny and that is to tell the router to do NO NAT that traffic.

I hope it helps.. Let me know

6 REPLIES

Re: Cannot access all subnets while connected by VPN

What kind of VPn is it? A site.to-site vpn? Check the ACL for the interesting traffic and your no-nat. If it's a Remote VPN that uses a VPN cliente chen check the ACL for Split tunnel.  Post the current config that way we will be able to help you.

New Member

Re: Cannot access all subnets while connected by VPN

Please see attached running config. It appears that we are using EasyVPN server. We use the cisco client to connect. My guess is that ACL 199 is the one that is constraining the subnet access, however I don't quite understand the format. Thank you for your help!!!!

Re: Cannot access all subnets while connected by VPN

Here it is

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

your clients are getting the address pool of 10.1.255.0 0.0.0.255

to permit access to any other network in your lan from the vpn client

access-list 199 permit ip    10.1.255.0 0.0.0.255

You will have to add the same lines that you add in the ACL 199 to the ACL 104 but with the deny action  since you are using nat

access-list 104 deny   ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

notice that you are using a deny and that is to tell the router to do NO NAT that traffic.

I hope it helps.. Let me know

New Member

Re: Cannot access all subnets while connected by VPN

Ok, I have been studying inverse masks on the cisco site and I think I am understanding some of this. Since I want to give access to all 4 subnets couldn't I just change the existing ACL from:

access-list 199 permit ip 10.1.0.0 0.0.1.255 10.1.255.0 0.0.0.255

To:

access-list 199 permit ip 10.1.0.0 0.0.3.255 10.1.255.0 0.0.0.255

This should permit access to 10.1.0.0-10.1.3.255

I understand that I can add an ACL for each individual subnet but I don't need that much granularity. What is the best practice??

Thanks for your help!!!!

Re: Cannot access all subnets while connected by VPN

You need to be as granular as possible so be careful with the ACLs If you are going to permit acceso to only 3 or 4 network go ahead and add 3 or 4 ACL.

Remember the exeption in the router map for the NAT

New Member

Re: Cannot access all subnets while connected by VPN

OK, I just wanted to make sure that I understood how the inverse masks work. I have been in IT for several years but most of the time the routers were already setup. I have worked mostly for small companies so we usually just had one subnet. Its a testament to the reliability of the cisco products, I haven't learned anything because they rarely break! :-)  Oops...did I just jinx myself??

Thank you for the time you took in answering my question!!

282
Views
0
Helpful
6
Replies