willardshawns
asked on
VPN connects, no access to LAN, split-tunnel works
I am able to connect to the VPN (PIX 506) using the Cisco VPN Client 4.0.3C and get out to the Internet via the split-tunnel, however I cannot access the local LAN -> 192.168.101.x
Network Setup:
Internet <=> ISP <=> 2600 <=> PIX <=> 2950
Slimmed config:
access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
access-list splittun permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 172.31.9.254 255.255.255.0
ip address inside 192.168.101.254 255.255.255.0
ip local pool VPNPOOL 192.168.1.5-192.168.1.20
global (outside) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.31.9.253 1
sysopt connection permit-ipsec
crypto ipsec transform-set CSPF esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set CSPF
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key password address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYREMOTE address-pool VPNPOOL
vpngroup MYREMOTE dns-server 192.168.101.1 12.x.x.x vpngroup MYREMOTE default-domain mydomain.com
vpngroup MYREMOTE split-tunnel splittun
vpngroup MYREMOTE idle-time 1800
vpngroup MYREMOTE max-time 86400
vpngroup MYREMOTE password password
Network Setup:
Internet <=> ISP <=> 2600 <=> PIX <=> 2950
Slimmed config:
access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
access-list splittun permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 172.31.9.254 255.255.255.0
ip address inside 192.168.101.254 255.255.255.0
ip local pool VPNPOOL 192.168.1.5-192.168.1.20
global (outside) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.31.9.253 1
sysopt connection permit-ipsec
crypto ipsec transform-set CSPF esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set CSPF
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key password address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYREMOTE address-pool VPNPOOL
vpngroup MYREMOTE dns-server 192.168.101.1 12.x.x.x vpngroup MYREMOTE default-domain mydomain.com
vpngroup MYREMOTE split-tunnel splittun
vpngroup MYREMOTE idle-time 1800
vpngroup MYREMOTE max-time 86400
vpngroup MYREMOTE password password
Scooped again! Gratz on your test by the way lr
ASKER
nope...same thing. I can connect to the vpn and get out to the internet, but I can not get to anything behind the vpn.
The other thing that is strange, is that when I look at the statistics for the vpn client, it is not receving any replies. It sends plenty of packets, but does not receive any back?
The other thing that is strange, is that when I look at the statistics for the vpn client, it is not receving any replies. It sends plenty of packets, but does not receive any back?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
to this:
access-list REMOTE permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0