Announcement

Collapse
No announcement yet.

Cisco VPN will not connect to Internal Network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco VPN will not connect to Internal Network

    I can connect via a VPN from the outside and can connect to the outside world from the inside network. However, the micsosoft VPN network cannot connect to the internal network. Below is main configuration, (it is a Cisco 800 series):
    aaa new-model
    !
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    !
    aaa session-id common
    clock timezone PCTime -6
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-434790245
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-434790245
    revocation-check none
    rsakeypair TP-self-signed-434790245
    !
    crypto pki certificate chain TP-self-signed-434790245
    certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
    no ip source-route
    ip dhcp excluded-address 192.168.0.2
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.0.0 255.255.0.0
    default-router 192.168.0.2
    !
    ip cef
    no ip bootp server
    ip domain name xxxx-inc.com
    ip name-server 192.168.0.109
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    local name xxxx-vpn
    !
    username xxxx privilege 15 secret 5 $1$ctCX$cMy6oTMvOPVI0qc/HUFOA0
    username admin privilege 15 password 7 12415015170A1E17
    !
    archive
    log config
    hidekeys
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address 10.1.10.198 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    peer default ip address pool VPN-IN
    ppp encrypt mppe 40 required
    ppp authentication ms-chap
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.0.2 255.255.0.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip local pool VPN-IN 192.168.2.60 192.168.2.99
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.1.10.1
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet4 1723
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.255.255
    no cdp run
    control-plane
    !
    banner exec ^C
    !
    end

  • #2
    Re: Cisco VPN will not connect to Internal Network

    Originally posted by clenz View Post
    However, the micsosoft VPN network cannot connect to the internal network
    Please clarify what this means.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Cisco VPN will not connect to Internal Network

      Just to clarify (I did not have enough space to post my original message); I have a microsoft VPN client connecting to a Cisco 811. The connection is established and authenentication is fine. It just can't connect to the internal network which is local to the same router.

      The internal users connected to teh domain server which is local to the router on the inside network can connect to the internet fine and mail is fine.

      Any help would be greatly appreciated. I am not a router guy and have tried various ACL's and other things???

      Comment


      • #4
        Re: Cisco VPN will not connect to Internal Network

        Originally posted by clenz View Post
        It just can't connect to the internal network which is local to the same router
        Are you getting assigned an IP address in the same subnet as the network you are connecting to?

        Can you ping any hosts on the network? Keep in mind that pinging by hostname may not work, depending on the DNS settings. Try it by IP address and by FQDN.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Cisco VPN will not connect to Internal Network

          You need an ACL allowing the VPN pool to your internal network. Some thing like:
          access-list vpn-allow permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
          CCNA, Network+

          Comment


          • #6
            Re: Cisco VPN will not connect to Internal Network

            I added two access-groups to the LAN interface (one in and one out) in order to allow my VPN 192.168.2.0 hosts to go in and out of the lan or VLAN1 interface 192.168.0.2 interface.

            Then I applied an extended access list - for each host.

            This still did not allow me to ping the 0.2 network from the 2.0 network??

            Comment


            • #7
              Re: Cisco VPN will not connect to Internal Network

              The router itself which has two interfaces 10.1.10.198 and 192.168.0.2 cannot ping a host on the vpn network side of thw WAN 192.168.2.60

              nothing works, i have tried a number of combinations, please help, please

              Comment


              • #8
                Re: Cisco VPN will not connect to Internal Network

                Well, time to go to another forum where there actually are Cisco experts

                Comment


                • #9
                  Re: Cisco VPN will not connect to Internal Network

                  Sorry, I think I had my ACL backwards. Try it like this.
                  access-list vpn-allow permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0

                  Also.
                  nat (inside) 0 access-list vpn-allow

                  Give that a try and let us know.
                  CCNA, Network+

                  Comment

                  Working...
                  X