Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Clients Connect via IPSec VPN but can't access local LAN or Internet

New install - IPSec VPN connects, however, VPN users can not access local LAN or Lnternet resources.

See router and firewall config attach.

Suggestion are much appreciated.

Note: IPAddress have been modified for security.

12 REPLIES
New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Any/All contribution are greatly appreciated

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

ANY HELP, would be greatly appreciated..

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Scroll down toward bottom of the page you will find a thread that I posted regarding the same issues. Good luck.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfef09

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

thx for sharing - Split_tunnel was indeed setup and users can connect just ~ they just can't ping anywhere or access any resources.

Its a collapsed network design - Meaning the CORE does everything and the ASA hang off the CORE.

Re: Clients Connect via IPSec VPN but can't access local LAN or

Hi Alphonso

Simply issue the following command in ASA

crypto isakmp nat-traversal 20

Regards

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Hi, thank you for your comments [much appreciated] However, what does the above command do [provide]?

Do you have any URLs for additional reading.

Re: Clients Connect via IPSec VPN but can't access local LAN or

Alphonso,

This commands makes it possible to establish an IPSEC VPN tunnel from the clients, which are behind a device that applies NAT, like most of the routers/modems at home or busines apply, for public IP. Since port numbers and IP addresses are not stable and dynamically built in translation table in Network Address Translation, this creates some incmopability issues with IPSEC. NAT-T lets the original source to be exchanged and this bypasses the possible incompatibilities.

Here is a more technical explaination

http://en.wikipedia.org/wiki/NAT_traversal

Regards

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Very Interesting - i will try that command - Were you able to review the config that I posted?

Temperary, it got it to work without using any additional commands but I had to place the VPN pool on the inside interface of the firewall uplink [in other words - the firewall inside interface resides on 172.16.50.x and and the VPN pool resides on 172.16.80.x]

Its the only way i was able to get VPN user to access local resources and the internet - although the current solution does compromise the design b/c I had to place the VPN pool on inside ip range assigned to the inside interface of the firewall which connects directly to the CORE infrastructure.

Toplogy Layout: Collapse CORE/DISTRIBUTION DESIGN

FW1 [inside] --> CORE1

FW1 [outside] --> CORE1 [ISP]

I'm not sure if the NAT TRAVERSAL command would be the solution but i'm open to trying all new recommendation since the environment has not yet went live.

-Regards,

-ag

Re: Clients Connect via IPSec VPN but can't access local LAN or

"Were you able to review the config that I posted"

After we cover the basics, I will review it. But NAT-T should resolve the issue.

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Does "split-tunneling" work on this case?

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Nope - split-tunnel was enabled already - none of the recommendation have worked. I going to chg the design of the infrastructure [routing] just to get this to work.

I will post my solution over the next day or two when i get it working. All work if the VPN pools remains attached to the inside network of the firewall but when I place the vpn pool on another network - all breaks so it forces me to think that its a routing issue b/c the vpn works when the pool remains on the network range of the inside interface.

New Member

Re: Clients Connect via IPSec VPN but can't access local LAN or

Alphonso,

Please try this command

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

760
Views
0
Helpful
12
Replies