johnnybrian
asked on
Cisco VPN clients cannot access remote LAN?
Hi!
Fairly simple setup i have: One server, one cisco 1841 in front, and some remote CISCO VPN clients hooking up to the 1841 using simple authetication. VPN connections are functioning as they should, the only problem is: VPN CLIENTS cannot access the LAN behind the CISCO, and they cannot go on the internet. I have some other networks connected via GRE Tunnels to the same router, and the VPN clients have no problem accessing these networks. They just cannot access the local LAN in which they are terminated.
the local lan is 192.168.3.0 /24
Tak a look at my config here:
version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6u U0e.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username -----------------------
username -----------------------
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
key xxxxxx
dns 192.168.20.30
domain xxxxxx.dk
pool medidataippool
max-users 5
!
crypto isakmp client configuration group papd
key xxxxxxxx
dns 192.168.1.4
domain xxxxxx.eu
pool papdpool
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
description connected to Outrup
ip address 192.168.99.97 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel58
description connected to Smedegade
ip address 192.168.99.93 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel59
description connected to MediData
ip address 192.168.99.89 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
ip address xx.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip default-gateway 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx name default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit xx.xx.xx.xx 0.0.0.7
access-list 23 deny any log
access-list 100 remark LAN-Access
access-list 100 permit ip host 192.168.3.1 any
access-list 100 deny ip any any log
access-list 102 remark NAT
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
password 7 110E4C53154352
line aux 0
line vty 0 4
password 7 121E5041105A55
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end
Please help! :)
Fairly simple setup i have: One server, one cisco 1841 in front, and some remote CISCO VPN clients hooking up to the 1841 using simple authetication. VPN connections are functioning as they should, the only problem is: VPN CLIENTS cannot access the LAN behind the CISCO, and they cannot go on the internet. I have some other networks connected via GRE Tunnels to the same router, and the VPN clients have no problem accessing these networks. They just cannot access the local LAN in which they are terminated.
the local lan is 192.168.3.0 /24
Tak a look at my config here:
version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6u
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username -----------------------
username -----------------------
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
key xxxxxx
dns 192.168.20.30
domain xxxxxx.dk
pool medidataippool
max-users 5
!
crypto isakmp client configuration group papd
key xxxxxxxx
dns 192.168.1.4
domain xxxxxx.eu
pool papdpool
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
description connected to Outrup
ip address 192.168.99.97 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel58
description connected to Smedegade
ip address 192.168.99.93 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel59
description connected to MediData
ip address 192.168.99.89 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
ip address xx.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip default-gateway 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx name default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit xx.xx.xx.xx 0.0.0.7
access-list 23 deny any log
access-list 100 remark LAN-Access
access-list 100 permit ip host 192.168.3.1 any
access-list 100 deny ip any any log
access-list 102 remark NAT
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
password 7 110E4C53154352
line aux 0
line vty 0 4
password 7 121E5041105A55
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end
Please help! :)
Do the vpn users authenticate successfully and get an IP address?
ASKER
Yep. No problem there. Only 192.168.3.0 /24 cannot be accessed. 192.168.20.0 /24 (on the other en of a GRE as you can see) can easily be pinged.
/JB
/JB
Well, that is weird.
So I am guessing you put the route for 192.168.3.0 in to try and fix the problem?
Also, I note that you have ip default-gateway turned on where it should only be used where routing is disabled. What is the default gateway that the remote users received?
And the config is current right? The access-lists are not applied?
ASKER
>>>So I am guessing you put the route for 192.168.3.0 in to try and fix the problem?<<<
Yes i did, i know its a stupid route, but i had to try something. :)
This config is current, yes. No applied access lists.
The client pc i just tried, strangely enough gets 192.168.4.2 as ip and ALSO as gateway!??
/JB
Yes i did, i know its a stupid route, but i had to try something. :)
This config is current, yes. No applied access lists.
The client pc i just tried, strangely enough gets 192.168.4.2 as ip and ALSO as gateway!??
/JB
Yeah, that is right. It is the local end of the tunnel so also the gateway - a little like the GRE tunnels, but looks weird when on the same device.
Well I guess it is time to start the frustrating exercise of log reviews.. perhaps add a "permit ip any any log" to the out direction on the f0/1 and see if any packets actually hit the interface
Well I guess it is time to start the frustrating exercise of log reviews.. perhaps add a "permit ip any any log" to the out direction on the f0/1 and see if any packets actually hit the interface
ASKER
I added the access list 100 to the OUT direction of f0/1:
access-list 100 remark TEST
access-list 100 permit ip any any log
Pinging 192.168.3.1 from my VPN client, it gives the following log entry:
Jul 3 13:36:46.722 UTC: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 192.168.4
.11 -> 192.168.3.1 (0/0), 1 packet
It hits the interface allright, but on the VPN client, the ping answer is received from 87.XX.XX.XX which is the WAN interface of the 1841!
/JB
access-list 100 remark TEST
access-list 100 permit ip any any log
Pinging 192.168.3.1 from my VPN client, it gives the following log entry:
Jul 3 13:36:46.722 UTC: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 192.168.4
.11 -> 192.168.3.1 (0/0), 1 packet
It hits the interface allright, but on the VPN client, the ping answer is received from 87.XX.XX.XX which is the WAN interface of the 1841!
/JB
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and oh yeah, you don't need this line too;
>>access-list 102 permit ip 192.168.4.0 0.0.0.255 any
That is the VPN Client pool right ? so it is not required.
Cheers,
Rajesh
>>access-list 102 permit ip 192.168.4.0 0.0.0.255 any
That is the VPN Client pool right ? so it is not required.
Cheers,
Rajesh
ASKER
Rajesh: Very nice work, added that access list, and now i can ping 3.1
Now for the other issue; i cannot access the internet when im on VPN. How can this be? I have enabled local LAN access on the client.
/JB
Now for the other issue; i cannot access the internet when im on VPN. How can this be? I have enabled local LAN access on the client.
/JB
ASKER
DNS is working by the way, i can make lookups on the client, but i have no access.
/JB
/JB
Do something real quick for me.
When the vpn is connected, get an output of 'route print' and post it here;
Cheers,
Rajesh
When the vpn is connected, get an output of 'route print' and post it here;
Cheers,
Rajesh
ASKER
How to get an output of route print? on the client or on the router?
/JB
/JB
On the computer which is vpned in.
on the command prompt, just type 'route print'
Cheers,
Rajesh
on the command prompt, just type 'route print'
Cheers,
Rajesh
Darn Rajesh, you snuck in!
I had my post ready about the natting... never mind.
local-lan just allows access to the local lan. You need split-tunnel.
This is where you define an access list for the traffic you want to encrypt only and add it to the policy.
I had my post ready about the natting... never mind.
local-lan just allows access to the local lan. You need split-tunnel.
This is where you define an access list for the traffic you want to encrypt only and add it to the policy.
ASKER
========================== ========== ========== ========== ========== =========
Liste over grænseflader
0x1 .......................... . MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
========================== ========== ========== ========== ========== =========
Vedvarende ruter:
Liste over grænseflader
0x1 ..........................
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
==========================
==========================
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
==========================
Vedvarende ruter:
Well, I saw that it isn't going anywhere so decided to jump in :-)
JB,
crypto isakmp client configuration group papd
key xxxxxxxx
dns 192.168.1.4
domain xxxxxx.eu
>>acl 100
pool papdpool
include-local-lan
max-users 5
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Make these changes.
Cheers,
Rajesh
JB,
crypto isakmp client configuration group papd
key xxxxxxxx
dns 192.168.1.4
domain xxxxxx.eu
>>acl 100
pool papdpool
include-local-lan
max-users 5
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Make these changes.
Cheers,
Rajesh
Hey, use another number for ACL, you have already used up 100, so make it 105
Cheers,
Rajesh
Cheers,
Rajesh
crypto isakmp client configuration group papd
key xxxxxxxx
dns 192.168.1.4
domain xxxxxx.eu
pool papdpool
include-local-lan
max-users 5
acl 150
access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
etc...
ASKER
Rajesh; did it. No change?
Muff: are you two coordinting this, or should i do both? :)
/JB
Muff: are you two coordinting this, or should i do both? :)
/JB
Can you post the config on the router now, after all the changes ?
Also once you put those commands, you have to disconnect and reconnect. Did you do that?
Cheers,
Rajesh
Also once you put those commands, you have to disconnect and reconnect. Did you do that?
Cheers,
Rajesh
ASKER
yes i did. New config:
!
! Last configuration change at 16:56:14 CET Mon Jul 3 2006 by hax
! NVRAM config last updated at 16:56:15 CET Mon Jul 3 2006 by hax
!
version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6u U0e.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username cisco password
username hax password
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
key
dns 192.168.20.30
domain xxxx.dk
pool medidataippool
max-users 5
!
crypto isakmp client configuration group papd
key
dns 192.168.1.4
domain xxxx.eu
pool papdpool
acl 105
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
description connected to Outrup
ip address 192.168.99.97 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel58
description connected to Smedegade
ip address 192.168.99.93 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel59
description connected to MediData
ip address 192.168.99.89 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
ip address xx.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.3.254 255.255.255.0
ip access-group 100 out
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xxname default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 83.17.235.64 0.0.0.7
access-list 23 deny any log
access-list 100 remark TEST
access-list 100 permit ip any any log
access-list 102 remark NAT
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
control-plane
!
!
line con 0
password
line aux 0
line vty 0 4
password
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end
!
! Last configuration change at 16:56:14 CET Mon Jul 3 2006 by hax
! NVRAM config last updated at 16:56:15 CET Mon Jul 3 2006 by hax
!
version 12.3
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname vagw1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$sDmY$Sbq7YuUg2VXiB.cN6u
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
username cisco password
username hax password
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group vpnmedidata
key
dns 192.168.20.30
domain xxxx.dk
pool medidataippool
max-users 5
!
crypto isakmp client configuration group papd
key
dns 192.168.1.4
domain xxxx.eu
pool papdpool
acl 105
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel57
description connected to Outrup
ip address 192.168.99.97 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel58
description connected to Smedegade
ip address 192.168.99.93 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface Tunnel59
description connected to MediData
ip address 192.168.99.89 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xx.xx.xx.xx
!
interface FastEthernet0/0
ip address xx.xx.xx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.3.254 255.255.255.0
ip access-group 100 out
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip local pool medidataippool 192.168.24.100 192.168.24.200
ip local pool papdpool 192.168.4.1 192.168.4.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xxname default
ip route 192.168.1.0 255.255.255.0 Tunnel58 name Smedegade
ip route 192.168.2.0 255.255.255.0 Tunnel57 name Outrup
ip route 192.168.3.0 255.255.255.0 FastEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel59 name Medidata
!
no ip http server
no ip http secure-server
ip nat translation timeout 800
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 180
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.3.1 53 interface FastEthernet0/0 53
ip nat inside source static tcp 192.168.3.1 80 interface FastEthernet0/0 80
!
access-list 23 permit xx.xx.xx.xx
access-list 23 remark telnet
access-list 23 permit xx.xx.xx.xx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 83.17.235.64 0.0.0.7
access-list 23 deny any log
access-list 100 remark TEST
access-list 100 permit ip any any log
access-list 102 remark NAT
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
control-plane
!
!
line con 0
password
line aux 0
line vty 0 4
password
!
ntp clock-period 17178876
ntp server 193.162.145.130
ntp server 193.162.159.197
ntp server 193.162.159.194
end
Ok, lets try reapplying the crypto map to the interface, do this;
int fa0/0
no crypto map mymap
crypto map mymap
Then bounce the VPN Client, connect back, see if that helps. Also when vpn is connected, get 'route print' and post it here.
Cheers,
Rajesh
int fa0/0
no crypto map mymap
crypto map mymap
Then bounce the VPN Client, connect back, see if that helps. Also when vpn is connected, get 'route print' and post it here.
Cheers,
Rajesh
If the split tunnel access-list is applied as above, then you should no longer be able to get to the GRE tunnel destinations. That would be a quick way to see if the acl is being applied. You would need to extend 105 to include other destinations.
So if the acl is working, you should no longer have a default route on the client (once connected) pointing at the IP address provided out of the 192.168.4.0 network.
You should have a specific route for the 192.168.3.0 network. Can you confirm this?
any updates ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
There will be today! :) Im out of office right now
So far, tried reapplying the crypto map without any results.
/JB
So far, tried reapplying the crypto map without any results.
/JB
ASKER
Okay Rajesh, as you suggested, i tried reapplying the crypto map without any results.
Heres is the route print from the PC behind VPN: Liste over grænseflader
0x1 .......................... . MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
========================== ========== ========== ========== ========== =========
Vedvarende ruter:
Heres is the route print from the PC behind VPN: Liste over grænseflader
0x1 ..........................
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
==========================
==========================
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
==========================
Vedvarende ruter:
It doesn't look like it was connected at the time the route print was taken.
Did you verify you could/couldn't get to the GRE networks when you connected?
Did you verify you could/couldn't get to the GRE networks when you connected?
This doesn't seem to be taken when the VPN is 'UP' ? Make sure you have connected through vpn and then at that point take the outputs.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Okay, if you dont believe me, here is an entire output. As you can see, im connected to the VPN, i can ping 1.3 . I can, however not see that my IP has changed? Also, i now cannot reach the tunnelled network. Sadly, of course, still no internet.
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\admhax>ipconfig
Windows IP-konfiguration
Ethernet-netværkskort LAN-forbindelse:
Forbindelsesspecifikt DNS-suffiks. . . . . . :
IP-adresse . . . . . . . . . . . . . . . . . : 83.90.253.170
Undernetmaske. . . . . . . . . . . . . . . . : 255.255.255.248
Standardgateway. . . . . . . . . . . . . . . : 83.90.253.169
C:\Documents and Settings\admhax>ping 192.168.3.1
Pinger 192.168.3.1 med 32 byte data:
Anmodning fik timeout.
Svar fra 192.168.3.1: byte=32 tid=16ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=14ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=13ms TTL=127
Ping-statistikker for 192.168.3.1:
Pakker: Sendt = 4, modtaget = 3, tabt = 1 (25% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 13ms, Maksimum = 16ms, Gennemsnitlig = 14ms
C:\Documents and Settings\admhax>ping 192.168.1.4
Pinger 192.168.1.4 med 32 byte data:
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig. (means: Host not available)
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Ping-statistikker for 192.168.1.4:
Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms
C:\Documents and Settings\admhax>ping 192.168.20.30
Pinger 192.168.20.30 med 32 byte data:
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Ping-statistikker for 192.168.20.30:
Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms
C:\Documents and Settings\admhax>route print
========================== ========== ========== ========== ========== =========
Liste over grænseflader
0x1 .......................... . MS TCP Loopback interface
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
========================== ========== ========== ========== ========== =========
Vedvarende ruter:
Ingen
C:\Documents and Settings\admhax>
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\admhax>ipconfig
Windows IP-konfiguration
Ethernet-netværkskort LAN-forbindelse:
Forbindelsesspecifikt DNS-suffiks. . . . . . :
IP-adresse . . . . . . . . . . . . . . . . . : 83.90.253.170
Undernetmaske. . . . . . . . . . . . . . . . : 255.255.255.248
Standardgateway. . . . . . . . . . . . . . . : 83.90.253.169
C:\Documents and Settings\admhax>ping 192.168.3.1
Pinger 192.168.3.1 med 32 byte data:
Anmodning fik timeout.
Svar fra 192.168.3.1: byte=32 tid=16ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=14ms TTL=127
Svar fra 192.168.3.1: byte=32 tid=13ms TTL=127
Ping-statistikker for 192.168.3.1:
Pakker: Sendt = 4, modtaget = 3, tabt = 1 (25% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 13ms, Maksimum = 16ms, Gennemsnitlig = 14ms
C:\Documents and Settings\admhax>ping 192.168.1.4
Pinger 192.168.1.4 med 32 byte data:
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig. (means: Host not available)
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Ping-statistikker for 192.168.1.4:
Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms
C:\Documents and Settings\admhax>ping 192.168.20.30
Pinger 192.168.20.30 med 32 byte data:
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Svar fra 80.196.66.173: Modtagervært ikke tilgængelig.
Ping-statistikker for 192.168.20.30:
Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 0ms, Maksimum = 0ms, Gennemsnitlig = 0ms
C:\Documents and Settings\admhax>route print
==========================
Liste over grænseflader
0x1 ..........................
0x10003 ...00 e0 18 1a 76 c5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Miniport til Packet Scheduler
==========================
==========================
Aktive ruter:
Netværksdestination Netmaske Gateway Grænseflade Metrikvæ
rdi
0.0.0.0 0.0.0.0 83.90.253.169 83.90.253.170 20
83.90.253.168 255.255.255.248 83.90.253.170 83.90.253.170 20
83.90.253.170 255.255.255.255 127.0.0.1 127.0.0.1 20
83.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 83.90.253.170 83.90.253.170 20
255.255.255.255 255.255.255.255 83.90.253.170 83.90.253.170 1
Standardgateway: 83.90.253.169
==========================
Vedvarende ruter:
Ingen
C:\Documents and Settings\admhax>
ASKER
Looks like now, i cann0ot reach the Tunnel netowkr (and therefore the DNS server) but i can ping public ip addresses! That is status right now!
/JB
/JB
ASKER
Looks like now, i cannot reach the tunnel networks, but i can ping public addresses. I need to be able to reach the tunnels also.
JB
JB
Perhaps ipconfig /all would show that you are getting the IP address applied to the VPN interface.
So if you extend the acl 105 to include the GRE tunnel destinations, that would solve the problem of accessing those networks.
But the routing table is key to split tunnel, and I am not sure why this isn't showing the routing for those networks. Your ping didn't show an attempts to ping the internet - what was the result? Do you get the "undeliverable" from the same IP address as the GRE tunnels (the router)?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Muff: I did it, and it still does not work. I get Host not available from my local router (the router that has the VPN computer client connected) when i try to ping anything else but public addresses now. All internal addresses, including 3.1 is now Not Available. :(
Public addresses are, though.
/JB
Public addresses are, though.
/JB
Could you change the ACL so that it looks like this? The destination isn't necessary as it only applies to VPN users. See if the routes get applied.
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.20.0 0.0.0.255 any
ASKER
WORKS! You guys are the greatest. best 10 bucks i ever spent! :)
What about points, considering coth of you have done alot of work?
/JB
What about points, considering coth of you have done alot of work?
/JB
It has to be your call, how you think the points are best distributed (they can be split).
ASKER
Thanks again Guys!
/JB
/JB