Solved

Cisco VPN clients cannot access remote LAN?

Posted on 2006-07-03
38
969 Views
Last Modified: 2008-01-09
Hi!

Fairly simple setup i have: One server, one cisco 1841 in front, and some remote CISCO VPN clients hooking up to the 1841 using simple authetication. VPN connections are functioning as they should, the only problem is: VPN CLIENTS cannot access the LAN behind the CISCO, and they cannot go on the internet. I have some other networks connected via GRE Tunnels to the same router, and the VPN clients have no problem accessing these networks. They just cannot access the local LAN in which they are terminated.

the local lan is 192.168.3.0 /24

Tak a look at my config here:

version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6uU0e.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username -----------------------
username -----------------------
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
 key xxxxxx
 dns 192.168.20.30
 domain xxxxxx.dk
 pool medidataippool
 max-users 5
!
crypto isakmp client configuration group papd
 key xxxxxxxx
 dns 192.168.1.4
 domain xxxxxx.eu
 pool papdpool
 include-local-lan
 max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
 description connected to Outrup
 ip address 192.168.99.97 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface Tunnel58
 description connected to Smedegade
 ip address 192.168.99.93 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface Tunnel59
 description connected to MediData
 ip address 192.168.99.89 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
 ip address xx.xx.xx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip default-gateway 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx name default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit xx.xx.xx.xx 0.0.0.7
access-list 23 deny   any log
access-list 100 remark LAN-Access
access-list 100 permit ip host 192.168.3.1 any
access-list 100 deny   ip any any log
access-list 102 remark NAT
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
 password 7 110E4C53154352
line aux 0
line vty 0 4
 password 7 121E5041105A55
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end


Please help! :)
0
Comment
Question by:johnnybrian
  • 17
  • 11
  • 10
38 Comments
 
LVL 9

Expert Comment

by:muff
Comment Utility
Do the vpn users authenticate successfully and get an IP address?
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Yep. No problem there. Only 192.168.3.0 /24 cannot be accessed. 192.168.20.0 /24 (on the other en of a GRE as you can see) can easily be pinged.

/JB
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

Well, that is weird.

So I am guessing you put the route for 192.168.3.0 in to try and fix the problem?

Also, I note that you have ip default-gateway turned on where it should only be used where routing is disabled.  What is the default gateway that the remote users received?

And the config is current right?  The access-lists are not applied?
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
>>>So I am guessing you put the route for 192.168.3.0 in to try and fix the problem?<<<
Yes i did, i know its a stupid route, but i had to try something. :)

This config is current, yes. No applied access lists.

The client pc i just tried, strangely enough gets 192.168.4.2 as ip and ALSO as gateway!??

/JB
0
 
LVL 9

Expert Comment

by:muff
Comment Utility
Yeah, that is right.  It is the local end of the tunnel so also the gateway  - a little like the GRE tunnels, but looks weird when on the same device.

Well I guess it is time to start the frustrating exercise of log reviews..  perhaps add a "permit ip any any log" to the out direction on the f0/1 and see if any packets actually hit the interface



0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
I added the access list 100 to the OUT direction of f0/1:
access-list 100 remark TEST
access-list 100 permit ip any any log

Pinging 192.168.3.1 from my VPN client, it gives the following log entry:

Jul  3 13:36:46.722 UTC: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 192.168.4
.11 -> 192.168.3.1 (0/0), 1 packet

It hits the interface allright, but on the VPN client, the ping answer is received from 87.XX.XX.XX which is the WAN interface of the 1841!

/JB
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 35 total points
Comment Utility
From the first, it isn't working because your nat access-list isn't correct and is natting all outgoing connections; So do this;

access-list 102 remark NAT
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any

and it should look exactly the same order.

Why we are adding the second access-list ?

Because when the traffic flows, you want to NAT all the 'internet' going traffic and 'DON'T' want to nat anything that is going to your vpn clients.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
and oh yeah, you don't need this line too;

>>access-list 102 permit ip 192.168.4.0 0.0.0.255 any

That is the VPN Client pool right ? so it is not required.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Rajesh: Very nice work, added that access list, and now i can ping 3.1

Now for the other issue; i cannot access the internet when im on VPN. How can this be? I have enabled local LAN access on the client.

/JB
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
DNS is working by the way, i can make lookups on the client, but i have no access.

/JB
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Do something real quick for me.

When the vpn is connected, get an output of 'route print' and post it here;

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
How to get an output of route print? on the client or on the router?

/JB
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
On the computer which is vpned in.

on the command prompt, just type 'route print'

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:muff
Comment Utility
Darn Rajesh, you snuck in!

I had my post ready about the natting... never mind.

local-lan just allows access to the local lan.  You need split-tunnel.

This is where you define an access list for the traffic you want to encrypt only and add it to the policy.
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
===========================================================================
Liste over grænseflader
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
 - Miniport til Packet Scheduler
===========================================================================
===========================================================================
Aktive ruter:
Netværksdestination        Netmaske          Gateway       Grænseflade  Metrikvæ
rdi
          0.0.0.0          0.0.0.0    83.90.253.169   83.90.253.170       20
    83.90.253.168  255.255.255.248    83.90.253.170   83.90.253.170       20
    83.90.253.170  255.255.255.255        127.0.0.1       127.0.0.1       20
   83.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    83.90.253.170   83.90.253.170       20
  255.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       1
Standardgateway:     83.90.253.169
===========================================================================
Vedvarende ruter:
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Well, I saw that it isn't going anywhere so decided to jump in :-)

JB,

crypto isakmp client configuration group papd
 key xxxxxxxx
 dns 192.168.1.4
 domain xxxxxx.eu
 >>acl 100
 pool papdpool
 include-local-lan
 max-users 5

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Make these changes.

Cheers,
Rajesh


0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Hey, use another number for ACL, you have already used up 100, so make it 105

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

crypto isakmp client configuration group papd
 key xxxxxxxx
 dns 192.168.1.4
 domain xxxxxx.eu
 pool papdpool
 include-local-lan
 max-users 5
 acl 150


access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
etc...



0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Rajesh; did it. No change?

Muff: are you two coordinting this, or should i do both? :)

/JB
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Can you post the config on the router now, after all the changes ?

Also once you put those commands, you have to disconnect and reconnect. Did you do that?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
yes i did. New config:


!
! Last configuration change at 16:56:14 CET Mon Jul 3 2006 by hax
! NVRAM config last updated at 16:56:15 CET Mon Jul 3 2006 by hax
!
version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6uU0e.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username cisco password
username hax password
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
 key
 dns 192.168.20.30
 domain xxxx.dk
 pool medidataippool
 max-users 5
!
crypto isakmp client configuration group papd
 key
 dns 192.168.1.4
 domain xxxx.eu
 pool papdpool
 acl 105
 include-local-lan
 max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
 description connected to Outrup
 ip address 192.168.99.97 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface Tunnel58
 description connected to Smedegade
 ip address 192.168.99.93 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface Tunnel59
 description connected to MediData
 ip address 192.168.99.89 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
 ip address xx.xx.xx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 192.168.3.254 255.255.255.0
 ip access-group 100 out
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xxname default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 83.17.235.64 0.0.0.7
access-list 23 deny   any log
access-list 100 remark TEST
access-list 100 permit ip any any log
access-list 102 remark NAT
access-list 102 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

control-plane
!
!
line con 0
 password
line aux 0
line vty 0 4
 password
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end

0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ok, lets try reapplying the crypto map to the interface, do this;

int fa0/0
no crypto map mymap
crypto map mymap

Then bounce the VPN Client, connect back, see if that helps. Also when vpn is connected, get 'route print' and post it here.

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

If the split tunnel access-list is applied as above, then you should no longer be able to get to the GRE tunnel destinations.  That would be a quick way to see if the acl is being applied.  You would need to extend 105 to include other destinations.

So if the acl is working, you should no longer have a default route on the client (once connected) pointing at the IP address provided out of the 192.168.4.0 network.

You should have a specific route for the 192.168.3.0 network.  Can you confirm this?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
any updates ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
There will be today! :) Im out of office right now

So far, tried reapplying the crypto map without any results.

/JB
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Okay Rajesh, as you suggested, i tried reapplying the crypto map without any results.

Heres is the route print from the PC behind VPN: Liste over grænseflader
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
 - Miniport til Packet Scheduler
===========================================================================
===========================================================================
Aktive ruter:
Netværksdestination        Netmaske          Gateway       Grænseflade  Metrikvæ
rdi
          0.0.0.0          0.0.0.0    83.90.253.169   83.90.253.170       20
    83.90.253.168  255.255.255.248    83.90.253.170   83.90.253.170       20
    83.90.253.170  255.255.255.255        127.0.0.1       127.0.0.1       20
   83.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    83.90.253.170   83.90.253.170       20
  255.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       1
Standardgateway:     83.90.253.169
===========================================================================
Vedvarende ruter:
0
 
LVL 9

Expert Comment

by:muff
Comment Utility
It doesn't look like it was connected at the time the route print was taken.

Did you verify you could/couldn't get to the GRE networks when you connected?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
This doesn't seem to be taken when the VPN is 'UP' ? Make sure you have connected through vpn and then at that point take the outputs.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Okay, if you dont believe me, here is an entire output. As you can see, im connected to the VPN, i can ping 1.3 . I can, however not see that my IP has changed? Also, i now cannot reach the tunnelled network. Sadly, of course, still no internet.

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admhax>ipconfig

Windows IP-konfiguration


Ethernet-netværkskort LAN-forbindelse:

      Forbindelsesspecifikt DNS-suffiks. . . . . . :
      IP-adresse . . . . . . . . . . . . . . . . . : 83.90.253.170
      Undernetmaske. . . . . . . . . . . . . . . . : 255.255.255.248
      Standardgateway. . . . . . . . . . . . . . . : 83.90.253.169

C:\Documents and Settings\admhax>ping 192.168.3.1

Pinger 192.168.3.1 med 32 byte data:

Anmodning fik timeout.
Svar fra 192.168.3.1: byte=32 tid=16ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=14ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=13ms TTL=127

Ping-statistikker for 192.168.3.1:
    Pakker: Sendt = 4, modtaget = 3, tabt = 1 (25% tab),
Beregnet tid for rundtur i millisekunder:
    Minimum = 13ms, Maksimum = 16ms, Gennemsnitlig = 14ms

C:\Documents and Settings\admhax>ping 192.168.1.4

Pinger 192.168.1.4 med 32 byte data:

Svar fra 80.196.66.173: Modtagervært ikke tilgængelig. (means: Host not available)
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.

Ping-statistikker for 192.168.1.4:
    Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
    Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms

C:\Documents and Settings\admhax>ping 192.168.20.30

Pinger 192.168.20.30 med 32 byte data:

Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.

Ping-statistikker for 192.168.20.30:
    Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
    Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms

C:\Documents and Settings\admhax>route print
===========================================================================
Liste over grænseflader
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
 - Miniport til Packet Scheduler
===========================================================================
===========================================================================
Aktive ruter:
Netværksdestination        Netmaske          Gateway       Grænseflade  Metrikvæ
rdi
          0.0.0.0          0.0.0.0    83.90.253.169   83.90.253.170       20
    83.90.253.168  255.255.255.248    83.90.253.170   83.90.253.170       20
    83.90.253.170  255.255.255.255        127.0.0.1       127.0.0.1       20
   83.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    83.90.253.170   83.90.253.170       20
  255.255.255.255  255.255.255.255    83.90.253.170   83.90.253.170       1
Standardgateway:     83.90.253.169
===========================================================================
Vedvarende ruter:
  Ingen

C:\Documents and Settings\admhax>
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Looks like now, i cann0ot reach the Tunnel netowkr (and therefore the DNS server) but i can ping public ip addresses! That is status right now!

/JB
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Looks like now, i cannot reach the tunnel networks, but i can ping public addresses. I need to be able to reach the tunnels also.

JB
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

Perhaps ipconfig /all would show that you are getting the IP address applied to the VPN interface.

So if you extend the acl 105 to include the GRE tunnel destinations, that would solve the problem of accessing those networks.

But the routing table is key to split tunnel, and I am not sure why this isn't showing the routing for those networks.  Your ping didn't show an attempts to ping the internet - what was the result?  Do you get the "undeliverable" from the same IP address as the GRE tunnels (the router)?
0
 
LVL 9

Assisted Solution

by:muff
muff earned 90 total points
Comment Utility
Sorry, I didn't see your response before my post.

Just add the tunnel addresses to the 105 acl and you will be done.
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Hi Muff: I did it, and it still does not work. I get Host not available from my local router (the router that has the VPN computer client connected) when i try to ping anything else but public addresses now. All internal addresses, including 3.1 is now Not Available. :(

Public addresses are, though.

/JB
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

Could you change the ACL so that it looks like this?  The destination isn't necessary as it only applies to VPN users.  See if the routes get applied.

access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.20.0 0.0.0.255 any
0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
WORKS! You guys are the greatest. best 10 bucks i ever spent! :)

What about points, considering coth of you have done alot of work?

/JB
0
 
LVL 9

Expert Comment

by:muff
Comment Utility

It has to be your call, how you think the points are best distributed (they can be split).

0
 
LVL 1

Author Comment

by:johnnybrian
Comment Utility
Thanks again Guys!

/JB
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now