Solved

VPN connects, no access to LAN, split-tunnel works

Posted on 2004-04-29
6
998 Views
Last Modified: 2010-04-12
I am able to connect to the VPN (PIX 506) using the Cisco VPN Client 4.0.3C and get out to the Internet via the split-tunnel, however I cannot access the local LAN -> 192.168.101.x

Network Setup:
Internet <=> ISP <=> 2600 <=> PIX <=> 2950

Slimmed config:
access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
access-list splittun permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 172.31.9.254 255.255.255.0
ip address inside 192.168.101.254 255.255.255.0
ip local pool VPNPOOL 192.168.1.5-192.168.1.20
global (outside) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.31.9.253 1
sysopt connection permit-ipsec
crypto ipsec transform-set CSPF esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set CSPF
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key password address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYREMOTE address-pool VPNPOOL
vpngroup MYREMOTE dns-server 192.168.101.1 12.x.x.x vpngroup MYREMOTE default-domain mydomain.com
vpngroup MYREMOTE split-tunnel splittun
vpngroup MYREMOTE idle-time 1800
vpngroup MYREMOTE max-time 86400
vpngroup MYREMOTE password password
0
Comment
Question by:willardshawns
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10960456
Try changing this line
>access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0

to this:
access-list REMOTE permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0


0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10960909
Scooped again! Gratz on your test by the way lr
0
 

Author Comment

by:willardshawns
ID: 10982084
nope...same thing.  I can connect to the vpn and get out to the internet, but I can not get to anything behind the vpn.  

The other thing that is strange, is that when I look at the statistics for the vpn client, it is not receving any replies.  It sends plenty of packets, but does not receive any back?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10982222
You want to play around with the client settings, transport tab
Your choices are to use
Enable transparent tunneling
  UDP
  TCP
 
Depending on where you are trying to connect from, you might need to un-check the box to enable transparent tunneling. If tunneling is enabled, and TCP is selected, you need to move it to UDP.

0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall SRA no lan access 5 33
RDP connection error 5 59
macos sierra "Destination Net Unreachable" 7 71
Use of vpn-filter value  in S2S VPN 2 49
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question