• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1014
  • Last Modified:

VPN connects, no access to LAN, split-tunnel works

I am able to connect to the VPN (PIX 506) using the Cisco VPN Client 4.0.3C and get out to the Internet via the split-tunnel, however I cannot access the local LAN -> 192.168.101.x

Network Setup:
Internet <=> ISP <=> 2600 <=> PIX <=> 2950

Slimmed config:
access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
access-list splittun permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 172.31.9.254 255.255.255.0
ip address inside 192.168.101.254 255.255.255.0
ip local pool VPNPOOL 192.168.1.5-192.168.1.20
global (outside) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.31.9.253 1
sysopt connection permit-ipsec
crypto ipsec transform-set CSPF esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set CSPF
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key password address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYREMOTE address-pool VPNPOOL
vpngroup MYREMOTE dns-server 192.168.101.1 12.x.x.x vpngroup MYREMOTE default-domain mydomain.com
vpngroup MYREMOTE split-tunnel splittun
vpngroup MYREMOTE idle-time 1800
vpngroup MYREMOTE max-time 86400
vpngroup MYREMOTE password password
0
willardshawns
Asked:
willardshawns
  • 2
1 Solution
 
lrmooreCommented:
Try changing this line
>access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0

to this:
access-list REMOTE permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0


0
 
ewtaylorCommented:
Scooped again! Gratz on your test by the way lr
0
 
willardshawnsAuthor Commented:
nope...same thing.  I can connect to the vpn and get out to the internet, but I can not get to anything behind the vpn.  

The other thing that is strange, is that when I look at the statistics for the vpn client, it is not receving any replies.  It sends plenty of packets, but does not receive any back?
0
 
lrmooreCommented:
You want to play around with the client settings, transport tab
Your choices are to use
Enable transparent tunneling
  UDP
  TCP
 
Depending on where you are trying to connect from, you might need to un-check the box to enable transparent tunneling. If tunneling is enabled, and TCP is selected, you need to move it to UDP.

0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now