VPN Client can't see internal network

Discussion in 'Cisco' started by Ned, Aug 16, 2007.

  1. Ned

    Ned Guest

    Hi, Hopefully someone may be able to help me. I have a remote user
    (User6) with a VPN client connecting to my PIX OK, but when he tries
    to PING or access server 172.29.11.250 the PINGs fail ; I see no debug
    info on the PIX. When he PINGs the outside interface ip address I see
    the debug but it is coming from the IP address of the remote user ISP
    - not the IP address allocated from the VPN POOL. The PIX itself can
    PING 172.19.11.250 and this device can PING the PIX... TIA, Ned

    network-object 123.233.0.0 255.255.0.0
    network-object 99.19.0.0 255.255.0.0
    network-object host 89.234.51.114
    access-list 102 permit ip 192.168.2.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list 102 permit tcp object-group NEW-HOSTS host 67.192.238.228
    object-group RFID-PREMISE
    access-list 102 permit icmp object-group NEW-HOSTS host 67.192.238.228
    access-list 102 deny tcp any host 67.192.238.228
    access-list 102 permit tcp any any eq www
    access-list 102 permit icmp any any
    access-list 102 permit ip 172.20.0.0 255.255.0.0 172.30.0.0
    255.255.0.0
    access-list 102 permit ip 172.20.0.0 255.255.0.0 172.29.0.0
    255.255.0.0
    access-list 102 permit ip 172.20.0.0 255.255.0.0 19.168.1.0
    255.255.255.0
    access-list 102 permit ip 172.29.0.0 255.255.0.0 19.168.1.0
    255.255.255.0
    access-list 80 permit ip host 172.29.11.250 host 172.20.1.1
    access-list 80 permit ip host 172.29.11.250 host 172.20.1.2
    access-list 80 permit ip host 172.29.11.250 host 172.20.1.3
    access-list 80 permit ip host 172.29.11.250 host 172.20.1.4
    access-list 80 permit ip host 172.29.11.250 host 172.20.1.5
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu appla 1500
    ip address outside 67.192.238.226 255.255.255.248
    ip address inside 192.168.1.254 255.255.255.0
    no ip address appla
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool minevpn 192.168.2.1-192.168.2.100
    ip local pool applapool1 172.20.1.1-172.20.1.100
    pdm history enable
    arp timeout 14400
    global (outside) 1 67.192.238.227
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 67.192.238.228 192.168.1.2 netmask
    255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 67.192.152.1 1
    route inside 172.29.0.0 255.255.0.0 192.168.1.253 1
    ....
    vpngroup user5 address-pool minevpn
    vpngroup user5 idle-time 600
    vpngroup user5 password ********
    vpngroup user6 address-pool applapool1
    vpngroup user6 idle-time 600
    vpngroup user6 password ********
    vpngroup user7 address-pool applapool1
    vpngroup user7 idle-time 600
    vpngroup user7 password ********

    I have tried with NO NAT on and off, but results are always the same

    nat (inside) 0 access-list 80
     
    Ned, Aug 16, 2007
    #1
    1. Advertisements

  2. Ned

    kishore14in

    Joined:
    Aug 3, 2006
    Messages:
    3
    Likes Received:
    0
    I wud suggest checking the vpn client the remote user is using.The group name he is using. It would be good to check what privileges that the group
    has got on the pix , whether he is able to access the Local LAN at the central office.
     
    kishore14in, Aug 17, 2007
    #2
    1. Advertisements

  3. Ned

    benner Guest

    did you check the routing table on the client? You should have other
    routes available when the VPN client is connected.

    Do you see a route for the subnet you want to reach?

    benner
     
    benner, Aug 17, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.