VPN clients unable to talk to internal networks

Remote clients (on 192.168.0.X) can connect to a router fine, the VPN clients cannot access any of the internal networks though. The only interface they can ping is 172.16.2.1.

Here's a look at the config:

! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 3725router ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 $1$BUZ8$ ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 no network-clock-participate slot 1 no network-clock-participate slot 2 ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ip dhcp excluded-address 172.16.3.100 172.16.3.150 ! ip dhcp pool VLAN2clients network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 dns-server 205.152.144.23 205.152.132.23 ! ip dhcp pool VLAN3clients network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 205.152.144.23 205.152.132.23 ! ! ip domain name neocipher.net ip name-server 205. ip name-server 205. ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 vpdn enable ! vpdn-group L2TP_VPN ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-995375956 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-995375956 revocation-check none rsakeypair TP-self-signed-995375956 ! ! crypto pki certificate chain TP-self-signed-995375956 certificate self-signed 01 3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 39393533 37353935 36301E17 0D303230 33303130 36313133 335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939 35333735 39353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 CF80B9FF 105E6689 8ECB41A9 A433EA68 9142AC1C 27941675 D8308151 4C68D1E8 A13039C9 75CBB9B3 C5078A7B FF67D8C0 FC1EBBF8 0C17EE00 BCA4056E 1903F769 0C21CAB6 D04CCAAA 73D4F744 523FE2B1 0E2AC55C F85A6896 347328B1 504B8A05 FAA9C1DF 31786DA6 3F64652C 9AE3B1C5 5E69122C 748160E3 818F110F 3978F0FF 02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D 11041C30 1A821833 37323572 6F757465 722E6E65 6F636970 6865722E 6E657430 1F060355 1D230418 30168014 FC48BF7D 9B97167A 41CF22FD 013C798A 154EC666 301D0603 551D0E04 160414FC 48BF7D9B 97167A41 CF22FD01 3C798A15 4EC66630 0D06092A 864886F7 0D010104 05000381 8100CA4B 1A56F508 476C297C 32C830F2 21EBA101 A3D47202 7DD7FCB8 E91911EF 6EFC8095 0AA1B548 14468A43 41A8E271 176CC0F1 C576F65F 125A2A64 785149D9 1A302553 37E59C30 B59CEF3D C63E5019 8897B79D C3DA4587 5EF1BC45 B10CB03C 0BFC1E1F 0AF2DF66 16653E18 5E2FC795 5D9BB821 85471E48 C34845A2 1BE83EAF F58D quit username rsreese privilege 15 secret 5 $1$k.mV$ username test password 7 120D0 ! ! ip ssh authentication-retries 2 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key mskey address 0.0.0.0 0.0.0.0 ! crypto isakmp client configuration group VPN-Users key test00 dns 205.152.144.23 205.152.132.23 domain neocipher.net pool VPN_POOL include-local-lan max-logins 10 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile 65535 set transform-set ESP-3DES-SHA ! ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list default crypto map SDM_CMAP_1 isakmp authorization list default crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address dhcp client-id FastEthernet0/0 hostname 3725router ip nat outside ip virtual-reassembly speed 100 full-duplex crypto map SDM_CMAP_1 ! interface Serial0/0 no ip address shutdown clock rate 2000000 ! interface FastEthernet0/1 ip address 172.20.0.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip nat inside ip virtual-reassembly crypto map SDM_CMAP_1 ! interface FastEthernet0/1.3 encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip nat inside ip virtual-reassembly crypto map SDM_CMAP_1 ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! interface Virtual-Template1 ip unnumbered FastEthernet0/0 peer default ip address pool PPTP-POOL no keepalive ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap chap ! ip local pool PPTP-POOL 172.16.20.25 172.16.20.35 ip local pool VPN_POOL 192.168.0.50 192.168.0.100 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ! no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 111 interface FastEthernet0/0 overload ! ip access-list extended LAN_IN permit ip host 192.168.0.51 any permit ip 192.168.0.0 0.0.255.255 any permit ip 172.16.0.0 0.0.255.255 any deny ip any any log ! access-list 111 permit ip 172.16.0.0 0.0.255.255 any ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password 7 05080F1C2243 transport input ssh line vty 5 903 transport input ssh ! ntp clock-period 17180663 ntp server 129.6.15.29 source FastEthernet0/0 prefer ! end
Reply to
S Reese
Loading thread data ...

Would some type of access list allow for the VPN network 192.168.0.X to communicate with the network 172.16.X.X and visa-versa?

Reply to
S Reese

Check split tunneling under the CISCO site.

This will solve your problem.

Thx

S Reese wrote:

Reply to
Nyerere

I had split tunneling enabled and clients connected to the VPN via the internal LAN could connect to the internal LAN hosts but the remote clients, those on a different subnet could not connect to the internal LAN hosts and that is what I'm trying to achieve so I decided to do away with the ACL(s) that invoked split tunneling. I figured there has to be a way to allow remote users connecting from any IP to connect to the internal LAN if they are authenticated VPN users.

Reply to
S Reese

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.