Cisco 1841 VPN Configuration with Cisco VPN client

Hello, I configured the 1841 for Internet routing and Cisco client connection. See the attached configuration of the router. The router routes out from the internal network and was able to authenticate the user and the VNP client gets connected. However the VPN client cannot connect to any internal resources at all. Also need to configure it for split tunneling so that the VPN client can both access the internal resources of the LAN without getting cut off from the Internet while it is connected to the VPN tunnel.

Any help is appreciated.

thank you
1841-router-config.txt
ZoltanTeplanAsked:
Who is Participating?
 
ZoltanTeplanAuthor Commented:
Hi, I resolved the problem after all. The separate IP subnet was helpful for the VPN clients pool.

The access-list 1 did not work.

I changed the following:
=======================
crypto isakmp client configuration group sasmatheson
 key xxxyyy
 domain xyz.com
 pool pool1
 acl 110
======================================

ip local pool pool1 192.168.2.70 192.168.2.100

=======================================
ip nat pool matheson 192.168.1.0 192.168.1.254 netmask 255.255.255.0
ip nat inside source list 102 interface FastEthernet0/1 overload
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

========================================================


With those changes I was able to access internal resources plus accomplish split tunneling.

Thank you for pointing me in the right direction regarding the DHCP ip pool1 to be on a separate subnet.






0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

You need to move the vpn pool to individual subnet:
!
no  ip local pool pool1 192.168.1.70 192.168.1.100
ip local pool pool1 192.168.2.70 192.168.2.100

crypto isakmp client configuration group sasmatheson
 no acl 100
 acl 1
!
access-list 1 permit 192.168.1.0 0.0.0.255
no access-list 102
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

CTRL+Z
clear ip nat trans
0
 
ZoltanTeplanAuthor Commented:
Hi, Thanks for the quick reply. Made the change as you suggested and cleared the NAT translation table but still can't ping the internal IP of the router -> 192.168.1.1. My cisco VPN client gets the 192.168.2.70 IP address so that works. I do a reload of the router in the meantime.
0
 
Istvan KalmarHead of IT Security Division Commented:
HI,

You never able to ping the eth leg of the leg only host behind the router!
If you want to ping the router I advise to configure lopback interface:

int loop 1
 ip add 1.1.1.1 255.255.255.255
access-list 1 permit 1.1.1.1
ip access-list extended 102
 1 deny ip host 1.1.1.1 192.168.2.0 0.0.0.25

0
 
ZoltanTeplanAuthor Commented:
The solution was partially complete.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.