?
Solved

VPN client cannot get access to LAN

Posted on 2007-03-18
11
Medium Priority
?
340 Views
Last Modified: 2012-05-05
Hi;
   I have setup a VPN based network using Cisco 515E firewall with software based Cisco VPN clients. Now the problem is that the remote VPN user cannot access LAN where i am able to access his PC and connect successfully from my local area and can ping as well although the user a remote VPN can ping his gateway which is firewall. What i know it must be only addition of a line to Cisco 515E so the user may get access to LAN or required server, Please help me to solve this problem as i cannot find the coorect line for addtion. Following is my configuration in Cisco 515E

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Office1
domain-name aib.af
clock timezone AFT 4 30
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol snmp 161
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list Cash-Branch-VPN permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 50
logging on
logging timestamp
logging console notifications
logging monitor notifications
logging buffered errors
logging trap critical
logging history notifications
logging queue 1024
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.0.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Remote-Area 192.168.253.3 mask 255.255.255.255
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group neda_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set RemoteMAP esp-3des esp-md5-hmac
crypto ipsec transform-set Cash-Branch-softclient-transform esp-3des esp-md5-hmac
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer 10.0.0.170
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set transform-set Cash-Branch-softclient-transform
crypto map RemoteMAP 90 ipsec-isakmp dynamic Cash-Branch-softclient-dynmap
crypto map RemoteMAP interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60
isakmp log 50000
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup Remote-Area address-pool Remote-Area
vpngroup Remote-Area split-tunnel Cash-Branch-VPN
vpngroup Remote-Area pfs
vpngroup Remote-Area idle-time 86400
vpngroup Remote-Area max-time 31536000
vpngroup Remote-Area password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 511
Cryptochecksum:c4b8d6f0680c053f787e040873942af3
: end
0
Comment
Question by:aib_it
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
11 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18746492
First are you sure you want this line in there
crypto dynamic-map Cash-Branch-softclient-dynmap 65534 set peer 10.0.0.170

next 192.168.0.0/24 is a very common subnet used on most soho routers.  The client isn't on a network with that subnet ip range are they.  It may be a routing issue then.

the only other thing I could think of is if the client is behind a NAT device which is most of the time.  try this command out
isakmp nat-traversal 20
0
 

Author Comment

by:aib_it
ID: 18746526
1 yes we need this line becuase we use software client.

2  the client is on 192.168.253.0 and the mentioned Ip 192.168.0.0 is of our Inside (LAN)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18746531
1) using the software client has nothing to do with having that line in there.  check out this page and scroll down to where it talks about crypto dynamic-map with set peer option
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html

2) 192.168.253.0/24 is the VPN IP, I"m talking about the IP of the client on the network they are VPNing from.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:aib_it
ID: 18746595
we will go through item number one and let you know soon .
2-ip of client in remote location is 192.168.253.3
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 2000 total points
ID: 18748031
true, your IP pool is only one IP so you can't have multiple vpn connections at this time.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19084368
Oops, must have missed this one in the stack o' emails.

I actually would object to having this Q deleted.  I know the items I mentioned are part or parts of the problem.  If it is still not fixed, then followup information needs to be posted to continue troubleshooting.

I have setup many RA vpn connections before and have never needed to use the entry the asker is saying needs to be used.  Those are typically used in the L2L configs.  However that may or may not be causing the issue, I'm not sure.  Having only one IP in your pool IS definitely part of your problem for multiple VPN clients though.  And the subnets used may be part of the problem depending up on ALL subnets involved (again, possible routing issue).  Please let me know if you need any clarification, additional information, or have any follow up information.  Thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19084820
Sounds good.  Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question