I have configured RTR1 to support VPN Clients. RTR1 has a site 2 site VPN tunnel with RTR 2.
VPN Clients connected to RTR1 have IP connectivity to RTR1 LAN. How do I get the VPN Client LAN to have access to RTR2 LAN?
I have included the VPN Client LAN to be ecrypted in the VPN tunnel to RTR2 LAN and Vice Versa. I have also tried a static router configured on RTR2 for the VPN Client LAN using RTR1 WAN IP as next hop.
Still not working for me. Any ideas?
Solved! Go to Solution.
I haven't done it with an IOS router before but give this a try. Your split tunnel ACL for the remote VPN clients needs to have the remote RTR2 LAN subnet in it.
Sorry Mate!! you lost me there. I should have mentioned security is not my strongest skills. When you say split tunnel ACL, do you mean the ACL that permit the LANs of RTR1 and RTR2 over the tunnel. Maybe an example will help clarify this. Thanks in advance
Here's an example of the ACL I'm talking about. The split tunnel ACL must contain both the internal subnet and remote subnet via the site to site VPN.
ip access-list extended VPN-ACL
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.2.0 0.0.0.255 any
crypto isakmp client configuration group VPN
I found the split tunnel ACL and have added the remote RTR2 LAN Subnet in it. I still cannot reach it. Just to make sure i was editing the correct ACL on RTR1, I removed one of the local subnets and I could not ping it from the VPN client.
Thanks for solving the VPN client to remote LAN issue. I got another one I am struggling with.
I have the same two sites RTR1 and RTR2 acting as FW with site2site VPN. On RTR1 I have a static NAT for the exchange server.
From RTR2 site, I can connect on port 25 to the RTR1 exchange nated IP (Public IP) but not on the Private IP.
If I remove the one to one NAT entry for the exchange server, i can connect on port 25 on the private IP. How do i get both to work, connect to the exchange server on private and public IP on port 25?
I would have paste the config, but there is just too much to edit.
i have the one to one NAT for the mail server. How do i use a route map to acheive users able to get to the mail server on the public IP address and on the private IP address via VPN Tunnel?
Here's an example of NAT with route-map to exclude VPN traffic.
ip access-list extended NO-NAT-ACL
deny ip host x.x.x.x y.y.y.y 0.0.0.255
permit ip host x.x.x.x any
match ip address NO-NAT-ACL
ip nat inside source static x.x.x.x 220.127.116.11