VPN clients unable to talk to internal networks

Discussion in 'Cisco' started by S Reese, Jan 11, 2008.

  1. S Reese

    S Reese Guest

    Remote clients (on 192.168.0.X) can connect to a router fine, the VPN
    clients cannot access any of the internal networks though. The only
    interface they can ping is 172.16.2.1.

    Here's a look at the config:

    !
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 3725router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$BUZ8$
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    !
    aaa session-id common
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no network-clock-participate slot 1
    no network-clock-participate slot 2
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.2.1
    ip dhcp excluded-address 172.16.3.1
    ip dhcp excluded-address 172.16.3.100 172.16.3.150
    !
    ip dhcp pool VLAN2clients
    network 172.16.2.0 255.255.255.0
    default-router 172.16.2.1
    dns-server 205.152.144.23 205.152.132.23
    !
    ip dhcp pool VLAN3clients
    network 172.16.3.0 255.255.255.0
    default-router 172.16.3.1
    dns-server 205.152.144.23 205.152.132.23
    !
    !
    ip domain name neocipher.net
    ip name-server 205.
    ip name-server 205.
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    vpdn enable
    !
    vpdn-group L2TP_VPN
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-995375956
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-995375956
    revocation-check none
    rsakeypair TP-self-signed-995375956
    !
    !
    crypto pki certificate chain TP-self-signed-995375956
    certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101
    04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D
    43657274
    69666963 6174652D 39393533 37353935 36301E17 0D303230 33303130
    36313133
    335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403
    1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939
    35333735
    39353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
    02818100
    CF80B9FF 105E6689 8ECB41A9 A433EA68 9142AC1C 27941675 D8308151
    4C68D1E8
    A13039C9 75CBB9B3 C5078A7B FF67D8C0 FC1EBBF8 0C17EE00 BCA4056E
    1903F769
    0C21CAB6 D04CCAAA 73D4F744 523FE2B1 0E2AC55C F85A6896 347328B1
    504B8A05
    FAA9C1DF 31786DA6 3F64652C 9AE3B1C5 5E69122C 748160E3 818F110F
    3978F0FF
    02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023
    0603551D
    11041C30 1A821833 37323572 6F757465 722E6E65 6F636970 6865722E
    6E657430
    1F060355 1D230418 30168014 FC48BF7D 9B97167A 41CF22FD 013C798A
    154EC666
    301D0603 551D0E04 160414FC 48BF7D9B 97167A41 CF22FD01 3C798A15
    4EC66630
    0D06092A 864886F7 0D010104 05000381 8100CA4B 1A56F508 476C297C
    32C830F2
    21EBA101 A3D47202 7DD7FCB8 E91911EF 6EFC8095 0AA1B548 14468A43
    41A8E271
    176CC0F1 C576F65F 125A2A64 785149D9 1A302553 37E59C30 B59CEF3D
    C63E5019
    8897B79D C3DA4587 5EF1BC45 B10CB03C 0BFC1E1F 0AF2DF66 16653E18
    5E2FC795
    5D9BB821 85471E48 C34845A2 1BE83EAF F58D
    quit
    username rsreese privilege 15 secret 5 $1$k.mV$
    username test password 7 120D0
    !
    !
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key mskey address 0.0.0.0 0.0.0.0
    !
    crypto isakmp client configuration group VPN-Users
    key test00
    dns 205.152.144.23 205.152.132.23
    domain neocipher.net
    pool VPN_POOL
    include-local-lan
    max-logins 10
    netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile 65535
    set transform-set ESP-3DES-SHA
    !
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map SDM_CMAP_1 client authentication list default
    crypto map SDM_CMAP_1 isakmp authorization list default
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address dhcp client-id FastEthernet0/0 hostname 3725router
    ip nat outside
    ip virtual-reassembly
    speed 100
    full-duplex
    crypto map SDM_CMAP_1
    !
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    !
    interface FastEthernet0/1
    ip address 172.20.0.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    crypto map SDM_CMAP_1
    !
    interface FastEthernet0/1.3
    encapsulation dot1Q 3
    ip address 172.16.3.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    crypto map SDM_CMAP_1
    !
    interface Serial0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0/0
    peer default ip address pool PPTP-POOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap-v2 ms-chap chap
    !
    ip local pool PPTP-POOL 172.16.20.25 172.16.20.35
    ip local pool VPN_POOL 192.168.0.50 192.168.0.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    !
    !
    no ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 111 interface FastEthernet0/0 overload
    !
    ip access-list extended LAN_IN
    permit ip host 192.168.0.51 any
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 172.16.0.0 0.0.255.255 any
    deny ip any any log
    !
    access-list 111 permit ip 172.16.0.0 0.0.255.255 any
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 05080F1C2243
    transport input ssh
    line vty 5 903
    transport input ssh
    !
    ntp clock-period 17180663
    ntp server 129.6.15.29 source FastEthernet0/0 prefer
    !
    end
     
    S Reese, Jan 11, 2008
    #1
    1. Advertisements

  2. S Reese

    S Reese Guest

    Would some type of access list allow for the VPN network 192.168.0.X
    to communicate with the network 172.16.X.X and visa-versa?
     
    S Reese, Jan 11, 2008
    #2
    1. Advertisements

  3. S Reese

    Nyerere Guest

    Check split tunneling under the CISCO site.

    This will solve your problem.

    Thx
     
    Nyerere, Jan 12, 2008
    #3
  4. S Reese

    S Reese Guest

    I had split tunneling enabled and clients connected to the VPN via the
    internal LAN could connect to the internal LAN hosts but the remote
    clients, those on a different subnet could not connect to the internal
    LAN hosts and that is what I'm trying to achieve so I decided to do
    away with the ACL(s) that invoked split tunneling. I figured there has
    to be a way to allow remote users connecting from any IP to connect to
    the internal LAN if they are authenticated VPN users.
     
    S Reese, Jan 12, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.