Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot access remote server via Cisco VPN client 5.x

I'm trying to access a MS Windows Terminal Server (TS) via a Cisco 1841router.  The client is using a laptop with WinXPP and Cisco VPN 5.x client.  I can connect to the 1841 router as I can see all sorts of information via Show Crypto commands.  What I cannot do is access the TS from the laptop. I believe it may be a routing issue but I'm not sure.

The network is set up as follows:

TS 192.168.5.0 network

Lnx-1841 gw 192.168.20.0

TS ----- Cisco Switch ----- Linux Gateway --- Cisco 1841----- Internet ------Laptop w/Cisco Client 5.x

I can access the TS unit from my desktop if I do not use a Cisco client (e.g I use RDP)

TS ----Cisco Switch ----- Linux Gateway(main firewall) ------Cisco 1841 ---- Internet ------ Cisco 877(Nat) ----Switch --- Desktop

I have the crypto map on the outside interface (Dialer0).

What I would like to know is am I supposed to have any other networks listed under eigrp heading I have:

192.168.3.0

192.168.12.0

192.168.20.0

the ip routes are:

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0 255.255.255.248 Dialer0

Or could it be a NAT issue?

Also how can I test if I'm getting through to the other side? if I'm right I do not think you can ping through a tunnel or VPN connection or can you?

Thanks

5 REPLIES
Cisco Employee

Re: Cannot access remote server via Cisco VPN client 5.x

These 2 lines looks a bit incorrect:

ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0  255.255.255.248 Dialer0

Assuming your TS is in 192.168.5.0 subnet which is internal to the 1841 router, and the next hop is 192.168.20.1 as per the above route. However, you have the next statement of routing 192.168.20.0/29 towards Dialer0 (which is the outside interface of the router)?

Also, what is the ip pool for the VPN Client?

To be able to access the 192.168.5.0/24 network through VPN Client, the following needs to be configured:

1) If you have split tunneling configured, you would need to add the 192.168.5.0/24 network

2) You also need to configure NAT exemption from the 192.168.5.0/24 towards the ip pool subnet

3) The Linux Gateway needs to route traffic destine for the ip pool subnet towards the 1841 router.

Hope that helps.

New Member

Re: Cannot access remote server via Cisco VPN client 5.x

Cisco tech configured those lines when we first set up the router.

192.168.20.2 is the ip address of the internal Cisco interface (FA0/0)

192.168.20.1 is the external interface of the LNX server.

The ip pool for the VPN clients are 10.5.5.1 10.5.5.10 as I only really need 2 I could trim that down to 10.5.5.5.

Split tunneling is not neccessary, when the laptop user connects to the VPN we want them off of the network they are running the client from.

Sorry I do not understand #2 and #3 fully,  are you saying we need to exclude the the 192.168.5.0 from the ip pool subnet (10.5.5.0), why would you do that when what we're trying to do is access the 192.168.5.0 network or mainly just the TS server.

All our NAT statements are similar to:

ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable

re; #3 we have a setup where another location is accessing the TS server from a remote location and the LNX GW  has packets being directed from the 1841 to the TS server.  Wouldn't this be the same or do I have to specify that the packets coming from 1841 with ip address 10.5.5.0 are also to be directed to the TS server?

Thanks for your response, hope we can ge this configured.

Cisco Employee

Re: Cannot access remote server via Cisco VPN client 5.x

Not sure why you need to configure "ip route 192.168.20.0  255.255.255.248 Dialer0", I would consider removing it if you don't need that line.

In regards to #2: do you have a dynamic nat statement? something like: "ip nat inside source list" or "ip nat inside source route-map". If you do, please share the nat statement as well as the access-list and/or route-map

In regards to #3: the linux gateway needs to have a route for 10.5.5.0/28 towards the router fa0/0 (192.168.20.2), if the linux gateway default gateway is not the router fa0/0.

New Member

Re: Cannot access remote server via Cisco VPN client 5.x

I only know that the Cisco engineer had to put it there as I wasn't able to go outside without it.  The 192.168.20 network is the network from the LNX gw to the Cisco router as 20.1 is the LNX eth1 and 20.2 is the internal Cisco port FE0.

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.7

The lnx gw is the router

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.20.0    *               255.255.255.252 U     0      0        0 eth1
192.168.5.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.20.2    0.0.0.0         UG    0      0        0 eth1

jon

Cisco Employee

Re: Cannot access remote server via Cisco VPN client 5.x

Based on this: "ip nat inside source list 1 interface Dialer0 overload", it seems like your linux gateway is also performing a PAT for all the internal subnet, because ACL 1 only includes 192.168.20.0/29

If the above is correct, you would need to configure the following:

1) On the router, create a new ACL:

access-list 171 deny ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15

access-list 171 permit ip 192.168.20.0 0.0.0.7 any

ip nat inside source list 171 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

2) On the Linux gateway, you would also need to exempt the 192.168.5.0/24 subnet from being PATed when it's destined for 10.5.5.0/28 subnet.

1162
Views
0
Helpful
5
Replies
CreatePlease to create content