Re: Unable to connect network from Cisco Client VPN

Latchum Naidu · ‎04-12-2010

Hi All,

I have 1841 and configured below client vpn

crypto isakmp client configuration group xxxxx
key xxxxxxxxxxx
dns 10.28.x.xx 10.12.x.xx
wins 10.28.x.xx
domain xxxxxx
pool GBIT
acl 2001

ip local pool GBIT 192.168.xxx.xxx 192.168.xxx.xxx

access-list 2001 permit ip 10.13.0.0 0.0.255.255 any
access-list 2001 permit ip 10.12.1.0 0.0.0.255 any
access-list 2001 permit ip 10.246.0.0 0.0.255.255 any
access-list 2001 permit ip 10.28.0.0 0.0.255.255 any

The problem here is, I am able to connect the client VPN from ourside world but after connected I am not able to access any of the network which is defined in "acl 2001"

Experts, can someone suggest where is the problem.

Regards,
Naidu.

Jennifer Halim · ‎04-12-2010

Double check that you have configured NAT exemption for the VPN traffic.

Latchum Naidu · ‎04-12-2010

Hi Halijenn,

Thanks for your response,

There is no any NAT excemptions for VPN traffic.

And one morething the same configuration is working fine with another router with different public IP

Regards,

Naidu.

Jennifer Halim · ‎04-12-2010

What do you mean by there is no NAT exemption for VPN traffic? Do you have NAT statement at all on your router? If you do, you would need to configure ACL to deny the VPN traffic from being NATed. Please share config for further help.

Latchum Naidu · ‎04-12-2010

Hi Halijenn,

Sorry for missunderstood, Yes we have denied VPN traffic in NAT

Please find the below NAT configuration for the same.

no ip http server
no ip http secure-server
ip nat pool nonat 193.xxx.xxx.x 193.xxx.xxx.x netmask 255.255.255.0
ip nat source static 195.xx.x.xx 10.xx.x.xx route-map DKRGLDAP extendable
ip nat source static 10.xx.x.xx 195.xx.x.xx route-map DKRGLDAP extendable
ip nat inside source route-map nonat pool nonat overload

ip access-list extended NONAT

deny ip 10.246.0.0 0.0.255.255 192.168.xx.0 0.0.0.255

deny ip 10.28.0.0 0.0.255.255 192.168.xx.0 0.0.0.255

Regards,

Naidu.

Jennifer Halim · ‎04-12-2010

These static looks incorrect:

ip nat source static 195.xx.x.xx 10.xx.x.xx route-map DKRGLDAP extendable
ip nat source static 10.xx.x.xx 195.xx.x.xx route-map DKRGLDAP extendable

Are you configuring the same static statement bidirectionally? If you do, you don't need the first line.

Please share the whole config. Base on part of the config provided, it seems correct.

Latchum Naidu · ‎04-12-2010

Hi halijenn

The two NAT statements are for in and out with defined routemaps

Please find the attached config and suggest me where I am wrong.

Regards,

Naidu.

Jennifer Halim · ‎04-12-2010

Base on the sanitized config, it seems like the ip pool for the vpn is in the same subnet as fa0/1 (your internal subnet). Please change the ip pool to something totally different (another unique subnet).

Then you would need to change ACL 2001 and nonat accordingly with the new ip pool subnet.

Then you would need to configure static route for the pool: ip route xxx.xxx.xxx.xxx 255.255.255.0 193.xxx.xxx.x

Lastly, make sure that your internal router routes traffic towards the ip pool subnet towards this router fa0/1 interface (192.168.xxx.xx).

Latchum Naidu · ‎04-13-2010

Hi Halijenn,

The ip pool for the vpn (192.168.10.200 - 192.168.10.250) and ip on fa0/1 (192.168.99.11) are entirely different subnets.

And as i mentioned in my prevois post, the same config is working fine in another 1841 router.

Regards,

Naidu.

Jennifer Halim · ‎04-13-2010

I see that you are running OSPF as the routing protocols, please make sure that if the internal router has route towards the ip pool subnet (192.168.10.0/24) towards the VPN router (fa0/1 - 192.168.99.11).

Alternatively, you can configure "reverse-route" on your vpn client group policy, and redistribute static on your OSPF and that would automatically redistribute the pool to the internal routers once the vpn client is connected.