VPN client cannot get access to LAN
Hi;
I have setup a VPN based network using Cisco 515E firewall with software based Cisco VPN clients. Now the problem is that the remote VPN user cannot access LAN where i am able to access his PC and connect successfully from my local area and can ping as well although the user a remote VPN can ping his gateway which is firewall. What i know it must be only addition of a line to Cisco 515E so the user may get access to LAN or required server, Please help me to solve this problem as i cannot find the coorect line for addtion. Following is my configuration in Cisco 515E
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Office1
domain-name aib.af
clock timezone AFT 4 30
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol snmp 161
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list Cash-Branch-VPN permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 50
logging on
logging timestamp
logging console notifications
logging monitor notifications
logging buffered errors
logging trap critical
logging history notifications
logging queue 1024
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.0.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Remote-Area 192.168.253.3 mask 255.255.255.255
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group neda_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set RemoteMAP esp-3des esp-md5-hmac
crypto ipsec transform-set Cash-Branch-softclient-tra
crypto dynamic-map Cash-Branch-softclient-dyn
crypto dynamic-map Cash-Branch-softclient-dyn
crypto map RemoteMAP 90 ipsec-isakmp dynamic Cash-Branch-softclient-dyn
crypto map RemoteMAP interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60
isakmp log 50000
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup Remote-Area address-pool Remote-Area
vpngroup Remote-Area split-tunnel Cash-Branch-VPN
vpngroup Remote-Area pfs
vpngroup Remote-Area idle-time 86400
vpngroup Remote-Area max-time 31536000
vpngroup Remote-Area password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 511
Cryptochecksum:c4b8d6f0680
: end
I have setup a VPN based network using Cisco 515E firewall with software based Cisco VPN clients. Now the problem is that the remote VPN user cannot access LAN where i am able to access his PC and connect successfully from my local area and can ping as well although the user a remote VPN can ping his gateway which is firewall. What i know it must be only addition of a line to Cisco 515E so the user may get access to LAN or required server, Please help me to solve this problem as i cannot find the coorect line for addtion. Following is my configuration in Cisco 515E
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Office1
domain-name aib.af
clock timezone AFT 4 30
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol snmp 161
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list Cash-Branch-VPN permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 50
logging on
logging timestamp
logging console notifications
logging monitor notifications
logging buffered errors
logging trap critical
logging history notifications
logging queue 1024
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.0.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Remote-Area 192.168.253.3 mask 255.255.255.255
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group neda_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set RemoteMAP esp-3des esp-md5-hmac
crypto ipsec transform-set Cash-Branch-softclient-tra
crypto dynamic-map Cash-Branch-softclient-dyn
crypto dynamic-map Cash-Branch-softclient-dyn
crypto map RemoteMAP 90 ipsec-isakmp dynamic Cash-Branch-softclient-dyn
crypto map RemoteMAP interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60
isakmp log 50000
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup Remote-Area address-pool Remote-Area
vpngroup Remote-Area split-tunnel Cash-Branch-VPN
vpngroup Remote-Area pfs
vpngroup Remote-Area idle-time 86400
vpngroup Remote-Area max-time 31536000
vpngroup Remote-Area password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 511
Cryptochecksum:c4b8d6f0680
: end
ASKER
1 yes we need this line becuase we use software client.
2 the client is on 192.168.253.0 and the mentioned Ip 192.168.0.0 is of our Inside (LAN)
2 the client is on 192.168.253.0 and the mentioned Ip 192.168.0.0 is of our Inside (LAN)
1) using the software client has nothing to do with having that line in there. check out this page and scroll down to where it talks about crypto dynamic-map with set peer option
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html
2) 192.168.253.0/24 is the VPN IP, I"m talking about the IP of the client on the network they are VPNing from.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html
2) 192.168.253.0/24 is the VPN IP, I"m talking about the IP of the client on the network they are VPNing from.
ASKER
we will go through item number one and let you know soon .
2-ip of client in remote location is 192.168.253.3
2-ip of client in remote location is 192.168.253.3
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oops, must have missed this one in the stack o' emails.
I actually would object to having this Q deleted. I know the items I mentioned are part or parts of the problem. If it is still not fixed, then followup information needs to be posted to continue troubleshooting.
I have setup many RA vpn connections before and have never needed to use the entry the asker is saying needs to be used. Those are typically used in the L2L configs. However that may or may not be causing the issue, I'm not sure. Having only one IP in your pool IS definitely part of your problem for multiple VPN clients though. And the subnets used may be part of the problem depending up on ALL subnets involved (again, possible routing issue). Please let me know if you need any clarification, additional information, or have any follow up information. Thanks
I actually would object to having this Q deleted. I know the items I mentioned are part or parts of the problem. If it is still not fixed, then followup information needs to be posted to continue troubleshooting.
I have setup many RA vpn connections before and have never needed to use the entry the asker is saying needs to be used. Those are typically used in the L2L configs. However that may or may not be causing the issue, I'm not sure. Having only one IP in your pool IS definitely part of your problem for multiple VPN clients though. And the subnets used may be part of the problem depending up on ALL subnets involved (again, possible routing issue). Please let me know if you need any clarification, additional information, or have any follow up information. Thanks
Sounds good. Thanks
crypto dynamic-map Cash-Branch-softclient-dyn
next 192.168.0.0/24 is a very common subnet used on most soho routers. The client isn't on a network with that subnet ip range are they. It may be a routing issue then.
the only other thing I could think of is if the client is behind a NAT device which is most of the time. try this command out
isakmp nat-traversal 20