VPN Client can't connect to local network

jonjineer13 · ‎12-09-2013

Hi,

I need help with my VPN configuration, I was able to authenticate to my VPN using Anyconnect, I can also PING the IP of the router and access its CLI, the problem is I cannot connect to other network resource.

Please see configuration below which I got from the CISCO Website, I think this is a pretty basic configuration, I'm quite new on configuring VPN so I really need some help to understand much of its configuration. Thank you very much!

Building configuration...

Current configuration : 2288 bytes

!

! Last configuration change at 05:52:55 UTC Tue Dec 10 2013

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable password 12345678

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

!

ip cef

!

no ipv6 cef

!

multilink bundle-name authenticated

!

username cisco password 0 c1sc0

!

redundancy

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

acl 101

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode tunnel

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 192.168.100.210 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 1.1.1.1 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.5.5.10 10.5.5.15

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

ip nat inside source list 111 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.254

!

access-list 101 permit ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 101 permit ip any any

access-list 111 deny ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 111 permit ip any any

!

control-plane

!

line con 0

exec-timeout 0 0

password 12345678

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 0 0

password 12345678

transport input all

!

scheduler allocate 20000 1000

!

end

WILLIAM STEGMAN · ‎12-10-2013

Try removing the line

access-list 101 permit ip any any

It sounds like you want to setup split tunneling, but with the access-list 101 permit ip any any line you end up tunneling all.

jonjineer13 · ‎12-12-2013

Hi Sir,

I've already removed the line as advised, but the problem still persist.

WILLIAM STEGMAN · ‎12-13-2013

Jon, can you clarify what other resources it is you're trying to reach? Is is something behind the VPN router, i.e. resources on its LAN interface, or is it resources on the network you client is located? Every network you'll want to reach behind the VPN router will need to be defined in the access-list 101. And then it would have to be denied in access-list 111. To enable local lan access you'd also have to set it on the client's anyconnect options.

jonjineer13 · ‎12-15-2013

Hi William,

Thanks for your reply.

I'm trying to access the whole 192.168.100.0 network, and yes, it is behind the VPN Router. If I want to access 192.168.100.0, is the configuration below correct? FYI, this is what I've already define on my configuration.

access-list 101 permit ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 111 deny ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 111 permit ip any any

May I also ask what do I need to change on Anyconnect? Thank you very much.