Cisco 1841 VPN Configuration with Cisco VPN client

Hello, I configured the 1841 for Internet routing and Cisco client connection. See the attached configuration of the router. The router routes out from the internal network and was able to authenticate the user and the VNP client gets connected. However the VPN client cannot connect to any internal resources at all. Also need to configure it for split tunneling so that the VPN client can both access the internal resources of the LAN without getting cut off from the Internet while it is connected to the VPN tunnel.

Any help is appreciated.

thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:

You need to move the vpn pool to individual subnet:
no  ip local pool pool1
ip local pool pool1

crypto isakmp client configuration group sasmatheson
 no acl 100
 acl 1
access-list 1 permit
no access-list 102
access-list 102 deny ip
access-list 102 permit ip any

clear ip nat trans
ZoltanTeplanAuthor Commented:
Hi, Thanks for the quick reply. Made the change as you suggested and cleared the NAT translation table but still can't ping the internal IP of the router -> My cisco VPN client gets the IP address so that works. I do a reload of the router in the meantime.
Istvan KalmarHead of IT Security Division Commented:

You never able to ping the eth leg of the leg only host behind the router!
If you want to ping the router I advise to configure lopback interface:

int loop 1
 ip add
access-list 1 permit
ip access-list extended 102
 1 deny ip host

ZoltanTeplanAuthor Commented:
Hi, I resolved the problem after all. The separate IP subnet was helpful for the VPN clients pool.

The access-list 1 did not work.

I changed the following:
crypto isakmp client configuration group sasmatheson
 key xxxyyy
 pool pool1
 acl 110

ip local pool pool1

ip nat pool matheson netmask
ip nat inside source list 102 interface FastEthernet0/1 overload
ip access-list extended NAT
 deny   ip
access-list 102 deny   ip
access-list 102 permit ip any
access-list 110 permit ip


With those changes I was able to access internal resources plus accomplish split tunneling.

Thank you for pointing me in the right direction regarding the DHCP ip pool1 to be on a separate subnet.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZoltanTeplanAuthor Commented:
The solution was partially complete.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.