Solved

VPN client cannot get access to LAN

Posted on 2007-03-18
11
312 Views
Last Modified: 2012-05-05
Hi;
   I have setup a VPN based network using Cisco 515E firewall with software based Cisco VPN clients. Now the problem is that the remote VPN user cannot access LAN where i am able to access his PC and connect successfully from my local area and can ping as well although the user a remote VPN can ping his gateway which is firewall. What i know it must be only addition of a line to Cisco 515E so the user may get access to LAN or required server, Please help me to solve this problem as i cannot find the coorect line for addtion. Following is my configuration in Cisco 515E

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Office1
domain-name aib.af
clock timezone AFT 4 30
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol snmp 161
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list Cash-Branch-VPN permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 50
logging on
logging timestamp
logging console notifications
logging monitor notifications
logging buffered errors
logging trap critical
logging history notifications
logging queue 1024
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.0.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Remote-Area 192.168.253.3 mask 255.255.255.255
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group neda_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set RemoteMAP esp-3des esp-md5-hmac
crypto ipsec transform-set Cash-Branch-softclient-transform esp-3des esp-md5-hmac
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer 10.0.0.170
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set transform-set Cash-Branch-softclient-transform
crypto map RemoteMAP 90 ipsec-isakmp dynamic Cash-Branch-softclient-dynmap
crypto map RemoteMAP interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60
isakmp log 50000
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup Remote-Area address-pool Remote-Area
vpngroup Remote-Area split-tunnel Cash-Branch-VPN
vpngroup Remote-Area pfs
vpngroup Remote-Area idle-time 86400
vpngroup Remote-Area max-time 31536000
vpngroup Remote-Area password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 511
Cryptochecksum:c4b8d6f0680c053f787e040873942af3
: end
0
Comment
Question by:aib_it
  • 5
  • 2
11 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18746492
First are you sure you want this line in there
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer 10.0.0.170

next 192.168.0.0/24 is a very common subnet used on most soho routers.  The client isn't on a network with that subnet ip range are they.  It may be a routing issue then.

the only other thing I could think of is if the client is behind a NAT device which is most of the time.  try this command out
isakmp nat-traversal 20
0
 

Author Comment

by:aib_it
ID: 18746526
1 yes we need this line becuase we use software client.

2  the client is on 192.168.253.0 and the mentioned Ip 192.168.0.0 is of our Inside (LAN)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18746531
1) using the software client has nothing to do with having that line in there.  check out this page and scroll down to where it talks about crypto dynamic-map with set peer option
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html

2) 192.168.253.0/24 is the VPN IP, I"m talking about the IP of the client on the network they are VPNing from.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:aib_it
ID: 18746595
we will go through item number one and let you know soon .
2-ip of client in remote location is 192.168.253.3
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 18748031
true, your IP pool is only one IP so you can't have multiple vpn connections at this time.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19084368
Oops, must have missed this one in the stack o' emails.

I actually would object to having this Q deleted.  I know the items I mentioned are part or parts of the problem.  If it is still not fixed, then followup information needs to be posted to continue troubleshooting.

I have setup many RA vpn connections before and have never needed to use the entry the asker is saying needs to be used.  Those are typically used in the L2L configs.  However that may or may not be causing the issue, I'm not sure.  Having only one IP in your pool IS definitely part of your problem for multiple VPN clients though.  And the subnets used may be part of the problem depending up on ALL subnets involved (again, possible routing issue).  Please let me know if you need any clarification, additional information, or have any follow up information.  Thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19084820
Sounds good.  Thanks
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now