Solved

After I connect to my Cisco VPN Client I cannot ping anything on the LAN

Posted on 2011-03-14
8
780 Views
Last Modified: 2012-05-11
Ok here's my issue.  Remote users connect to my network via the Cisco VPN Client.  My remote access VPN is configured on a Cisco VPN Concentrator 3060.  Attached is network diagram showing my network.  I changed my address pool on my VPN Concentrator, because I wanted it to hand out ip addresses in a different ip block.  So as you can see when remote users connect to the VPN they get an address in the 192.168.87.0/24 range as depicted on my network diagram.  Once connected I can ping both the inside interface and outside interface of the Cisco VPN concentrator, but I cannot ping anything else in my LAN (switches, servers, workstations, etc).  I know this is because my LAN is on a 10.0.0.0/20 network, and the addresses my remote users are getting after connecting to the cisco VPN Client is in the 192.168.87.0/24 network.  Any Assistance would be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
8 Comments
 
LVL 4

Author Comment

by:denver218
ID: 35130952
Sorry I forgot the attach the network diagram.  Thanks. Network Diagram
0
 
LVL 26

Expert Comment

by:pony10us
ID: 35130993
1. Are the VPN users able to access the devices in the 10.0.0.0/20 network? Can they RDP to a device?

2. Do you have ICMP permited between the two networks on the Cisco 3060?
0
 
LVL 6

Accepted Solution

by:
expert02232010 earned 500 total points
ID: 35130997
Have you created a route on your internal network that routes the 192.168.87.0 subnet to the VPN Concentrator?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Expert Comment

by:Mikehyde
ID: 35131025
A VPN concentrator is not a router. As you now have users in a different subnet, they cannot talk to anyone who is NOT in their local subnet (192.x).

You can ping the interfaces as theya re directly connected and do not need to be routed.

The solution is to give them IP's in the range.

The alternate (harder situation) is to add in routing. You can do this a variety of ways. If you have a current router with available interfaces, you can put a leg into each subnet. No config would be required as the subnets are directly attached and the router would know where to route.

If you have a VLAN capable Layer3 router (not enhanced layer2), you could also use VLAN's which will route traffic.

I could not find an attached diagram so this is my best with knowing more specifics. It is not broekn, this is the default behavior expected. You need routing if you have different subnets.

NOTE: Even Layer2 routers with VLANS cant route traffic on the same device. This haunted us in the past as you could make vlans but they couldnt talk to each other. You had to "hang a L3 router off the device, essentially telling it to route traffic for vlans. This was called router-on-a-stick and was the lamest thing ever.
0
 
LVL 4

Author Comment

by:denver218
ID: 35131043
No users cannot access devices in the 10.0.0.0/20 network.  Once connected to the concentor, I can ping 10.0.0.5, which is the inside interface of the concentrator, and I can ping 192.168.50.2, which is the outside interface of the concentrator.
0
 
LVL 4

Author Comment

by:denver218
ID: 35131110
My requirement is not to have the concentrator hand out IPs that are in the same range as the LAN.  I can get it to work without issue if my ip pool on the concentrator is in the same range as my LAN.  I know I'm missing a route statement here somewhere to get this working with a different subnet, I just don't know where.  Thanks.
0
 
LVL 1

Expert Comment

by:Mikehyde
ID: 35131149
you can ping the interfaces as they are directly connected. This requires no routing. Anyone else can't be pinged as it looks for a route and there is no route defined.

I now see your diagram. Can 172 talk to 10.0?

That ASA5510 may be where you are routing as well.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35131237
Thats what i needed was a route on my internal network.  On the 3550-12G I added the following route statement:
ip route 192.168.87.0 255.255.255.0 10.0.0.5

After adding this I could ping and RDP into machines on my LAN.   Thanks.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Site-To-site VPN Natting inbound traffic? 9 74
macos sierra "Destination Net Unreachable" 7 58
cisco sg 200 trunking 4 26
AWS Design\Cisco Meraki 4 23
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question