Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot connect to all host networks on VPN client

I have a VPN client connected to a Cisco 2800 series router as the concentrator.  The client successfully connects, but can only communicate with one network on the host side.  The VPN client is assigned an IP on the 172.16.2.0 network, and it can only communicate with the 172.16.1.0 host network.  It needs to communicate with the other networks, such as 172.16.3.0, 172.16.4.0 and so on.  There is no place in the config that I see is only allowing communication to the one network, so I do not see where to add the other networks.  Please advise how I can give the VPN client access to all host networks.  Thanks.

  • VPN
Everyone's tags (1)
26 REPLIES
Cisco Employee

Re: Cannot connect to all host networks on VPN client

Do you have split tunnel configured? If you do, then you would also need to add those other networks in the split tunnel ACL. If you don't, then it's OK.

Another place would be the NAT exemption, you would need to configure NAT exemption for the other internal networks towards the VPN Client pool.

Feel free to post the ACL for the NAT statement, and I can assist you with the NAT exemption.

New Member

Re: Cannot connect to all host networks on VPN client

Thanks, Jennifer.

Yes, we have split tunnel enabled.  I looked for that in the configs and do not see it.  If you can help me identify the split tunnel section of the configs, and an example of the command I need to add for each network to be allowed there, I'd greatly appreciate it.

Cisco Employee

Re: Cannot connect to all host networks on VPN client

Please take a look at the "crypto isakmp client configuration" section, and if you have split tunnel configured, there should be an "acl" command line.

Please kindly share the actual ACL configured.

Also please check the "ip nat inside source" configuration line, and share the actual ACL configured for this command.

New Member

Re: Cannot connect to all host networks on VPN client

Yes, the ACL referenced in the "crypto isakmp client configuration" is "acl 100".  Here are the access-list commands below (the networks in the list are the ones that the VPN clients need access to, but currently cannot access):

access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.2.0 0.0.0.255 any
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 100 permit ip 172.16.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 100 permit ip 172.16.6.0 0.0.0.255 any
access-list 100 permit ip 172.16.7.0 0.0.0.255 any

Also, there are some "ip nat inside source" commands for email, etc. but none that reference an ACL.

Cisco Employee

Re: Cannot connect to all host networks on VPN client

The split tunnel ACL looks correct. I am suspecting that the dynamic NAT is causing the issue.

Can you post the NAT statement (sh run | i ip nat inside source) and the corresponding ACL. Thanks.

New Member

Re: Cannot connect to all host networks on VPN client

Here are the "ip nat inside source" commands (I replaced the actual Public IPs with "PUBLIC IP" for security purposes):

ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload
ip nat inside source static tcp 172.16.1.111 "PUBLIC IP" 25 extendable
ip nat inside source static tcp 172.16.1.111 80 "PUBLIC IP" 80 extendable
ip nat inside source static tcp 172.16.1.111 443 "PUBLIC IP" 443 extendable

What ACL would you need that corresponds to this?

Cisco Employee

Re: Cannot connect to all host networks on VPN client

OK, looks like you are using route-map instead of access-list.

ip nat inside source route-map ABC interface FastEthernet0/1 overload
ip nat inside source route-map INTERNET interface FastEthernet0/3/0 overload

Which external interface is the VPN Client terminating on, fa0/1 or fa0/3/0?

If it's fa0/1, then please share the output of route-map ABC and its corresponding ACL.

If it's fa0/3/0, then please share the output of route-map INTERNET and its corresponding ACL.

Thanks.

New Member

Re: Cannot connect to all host networks on VPN client

The VPN Client terminates on fa0/3/0.

Here is the output you requested:

Router#show route-map INTERNET
route-map INTERNET, permit, sequence 10
  Match clauses:
    ip address (access-lists): INTERNET_NAT
  Set clauses:
    interface FastEthernet0/3/0
  Policy routing matches: 0 packets, 0 bytes

And here's the corresponding ACL:

ip access-list extended INTERNET_NAT
deny   ip 172.16.0.0 0.0.255.255 159.212.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 any

Cisco Employee

Re: Cannot connect to all host networks on VPN client

Perfect. As advised earlier, your vpn pool is 172.16.2.0/24, right?

You would need to add the following:

ip access-list extended INTERNET_NAT

     1 deny ip 172.16.0.0 0.0.255.255 172.16.2.0 0.0.0.255

Then you would need to clear the existing NAT translation: clear ip nat trans *

Hope that helps.

1465
Views
70
Helpful
26
Replies
This widget could not be displayed.