VPN client cannot get access to LAN

   I have setup a VPN based network using Cisco 515E firewall with software based Cisco VPN clients. Now the problem is that the remote VPN user cannot access LAN where i am able to access his PC and connect successfully from my local area and can ping as well although the user a remote VPN can ping his gateway which is firewall. What i know it must be only addition of a line to Cisco 515E so the user may get access to LAN or required server, Please help me to solve this problem as i cannot find the coorect line for addtion. Following is my configuration in Cisco 515E

: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Office1
domain-name aib.af
clock timezone AFT 4 30
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol snmp 161
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list Cash-Branch-VPN permit ip
access-list no_nat_inside permit ip
pager lines 50
logging on
logging timestamp
logging console notifications
logging monitor notifications
logging buffered errors
logging trap critical
logging history notifications
logging queue 1024
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Remote-Area mask
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0 0
access-group neda_acl in interface outside
access-group inside_acl in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set RemoteMAP esp-3des esp-md5-hmac
crypto ipsec transform-set Cash-Branch-softclient-transform esp-3des esp-md5-hmac
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set transform-set Cash-Branch-softclient-transform
crypto map RemoteMAP 90 ipsec-isakmp dynamic Cash-Branch-softclient-dynmap
crypto map RemoteMAP interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60
isakmp log 50000
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup Remote-Area address-pool Remote-Area
vpngroup Remote-Area split-tunnel Cash-Branch-VPN
vpngroup Remote-Area pfs
vpngroup Remote-Area idle-time 86400
vpngroup Remote-Area max-time 31536000
vpngroup Remote-Area password ********
telnet inside
telnet timeout 5
ssh inside
ssh inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 511
: end
Who is Participating?
true, your IP pool is only one IP so you can't have multiple vpn connections at this time.
First are you sure you want this line in there
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer

next is a very common subnet used on most soho routers.  The client isn't on a network with that subnet ip range are they.  It may be a routing issue then.

the only other thing I could think of is if the client is behind a NAT device which is most of the time.  try this command out
isakmp nat-traversal 20
aib_itAuthor Commented:
1 yes we need this line becuase we use software client.

2  the client is on and the mentioned Ip is of our Inside (LAN)
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

1) using the software client has nothing to do with having that line in there.  check out this page and scroll down to where it talks about crypto dynamic-map with set peer option

2) is the VPN IP, I"m talking about the IP of the client on the network they are VPNing from.
aib_itAuthor Commented:
we will go through item number one and let you know soon .
2-ip of client in remote location is
Oops, must have missed this one in the stack o' emails.

I actually would object to having this Q deleted.  I know the items I mentioned are part or parts of the problem.  If it is still not fixed, then followup information needs to be posted to continue troubleshooting.

I have setup many RA vpn connections before and have never needed to use the entry the asker is saying needs to be used.  Those are typically used in the L2L configs.  However that may or may not be causing the issue, I'm not sure.  Having only one IP in your pool IS definitely part of your problem for multiple VPN clients though.  And the subnets used may be part of the problem depending up on ALL subnets involved (again, possible routing issue).  Please let me know if you need any clarification, additional information, or have any follow up information.  Thanks
Sounds good.  Thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.