Cisco 1841 VPN Configuration with Cisco VPN client

Hello, I configured the 1841 for Internet routing and Cisco client connection. See the attached configuration of the router. The router routes out from the internal network and was able to authenticate the user and the VNP client gets connected. However the VPN client cannot connect to any internal resources at all. Also need to configure it for split tunneling so that the VPN client can both access the internal resources of the LAN without getting cut off from the Internet while it is connected to the VPN tunnel.

Any help is appreciated.

thank you
1841-router-config.txt
ZoltanTeplanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

You need to move the vpn pool to individual subnet:
!
no  ip local pool pool1 192.168.1.70 192.168.1.100
ip local pool pool1 192.168.2.70 192.168.2.100

crypto isakmp client configuration group sasmatheson
 no acl 100
 acl 1
!
access-list 1 permit 192.168.1.0 0.0.0.255
no access-list 102
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

CTRL+Z
clear ip nat trans
0
ZoltanTeplanAuthor Commented:
Hi, Thanks for the quick reply. Made the change as you suggested and cleared the NAT translation table but still can't ping the internal IP of the router -> 192.168.1.1. My cisco VPN client gets the 192.168.2.70 IP address so that works. I do a reload of the router in the meantime.
0
Istvan KalmarHead of IT Security Division Commented:
HI,

You never able to ping the eth leg of the leg only host behind the router!
If you want to ping the router I advise to configure lopback interface:

int loop 1
 ip add 1.1.1.1 255.255.255.255
access-list 1 permit 1.1.1.1
ip access-list extended 102
 1 deny ip host 1.1.1.1 192.168.2.0 0.0.0.25

0
ZoltanTeplanAuthor Commented:
Hi, I resolved the problem after all. The separate IP subnet was helpful for the VPN clients pool.

The access-list 1 did not work.

I changed the following:
=======================
crypto isakmp client configuration group sasmatheson
 key xxxyyy
 domain xyz.com
 pool pool1
 acl 110
======================================

ip local pool pool1 192.168.2.70 192.168.2.100

=======================================
ip nat pool matheson 192.168.1.0 192.168.1.254 netmask 255.255.255.0
ip nat inside source list 102 interface FastEthernet0/1 overload
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

========================================================


With those changes I was able to access internal resources plus accomplish split tunneling.

Thank you for pointing me in the right direction regarding the DHCP ip pool1 to be on a separate subnet.






0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZoltanTeplanAuthor Commented:
The solution was partially complete.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.