Solved

VPN connects, no access to LAN, split-tunnel works

Posted on 2004-04-29
6
999 Views
Last Modified: 2010-04-12
I am able to connect to the VPN (PIX 506) using the Cisco VPN Client 4.0.3C and get out to the Internet via the split-tunnel, however I cannot access the local LAN -> 192.168.101.x

Network Setup:
Internet <=> ISP <=> 2600 <=> PIX <=> 2950

Slimmed config:
access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0
access-list splittun permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 172.31.9.254 255.255.255.0
ip address inside 192.168.101.254 255.255.255.0
ip local pool VPNPOOL 192.168.1.5-192.168.1.20
global (outside) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.31.9.253 1
sysopt connection permit-ipsec
crypto ipsec transform-set CSPF esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set CSPF
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key password address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYREMOTE address-pool VPNPOOL
vpngroup MYREMOTE dns-server 192.168.101.1 12.x.x.x vpngroup MYREMOTE default-domain mydomain.com
vpngroup MYREMOTE split-tunnel splittun
vpngroup MYREMOTE idle-time 1800
vpngroup MYREMOTE max-time 86400
vpngroup MYREMOTE password password
0
Comment
Question by:willardshawns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10960456
Try changing this line
>access-list REMOTE permit ip host 192.168.101.0 host 192.168.1.0

to this:
access-list REMOTE permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0


0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10960909
Scooped again! Gratz on your test by the way lr
0
 

Author Comment

by:willardshawns
ID: 10982084
nope...same thing.  I can connect to the vpn and get out to the internet, but I can not get to anything behind the vpn.  

The other thing that is strange, is that when I look at the statistics for the vpn client, it is not receving any replies.  It sends plenty of packets, but does not receive any back?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10982222
You want to play around with the client settings, transport tab
Your choices are to use
Enable transparent tunneling
  UDP
  TCP
 
Depending on where you are trying to connect from, you might need to un-check the box to enable transparent tunneling. If tunneling is enabled, and TCP is selected, you need to move it to UDP.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question