Announcement

Collapse
No announcement yet.

connected to vpn but cannot access internal LAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • connected to vpn but cannot access internal LAN

    i presume it's a natting issue?! or not.. any hint? the thing is that i already have an easy vpn server setup on another interface and by creating this new easy vpn server i just used the same config as the old one. i could connect normaly though i cant access my LAN... which is weird giving the fact that natting for the VPN private network is already made and working properly (for the old vpn)

  • #2
    Re: connected to vpn but cannot access internal LAN

    Can you ping any clients by IP on the LAN? Have you checked whether your client has been allocated an appropriate DNS server and IP address on the VPN connection?

    Comment


    • #3
      Re: connected to vpn but cannot access internal LAN

      hey thanks for the reply.. well ya actually everyone on my lan is pingable.. everythings working fine.. but it's only when i get outside my lan and try to connect with vpn.. that i cant reach any of the internal LAN ips..

      Comment


      • #4
        Re: connected to vpn but cannot access internal LAN

        Have the computers outside been allocated an IP address on your LAN or another subnet? It sounds to be a routing issue.

        Comment


        • #5
          Re: connected to vpn but cannot access internal LAN

          when i connect with my cisco vpn client.. i check my ipconfig output.. cisco local adapter gets assigned my vpn's ip which is 10.10.10.0/24 though with no gateway.. but when i route print i see tht traffic destined to my lan (subnet 192.168.0.0/24) has the 10.10.10.X ip as gateway..

          Comment


          • #6
            Re: connected to vpn but cannot access internal LAN

            Originally posted by silent View Post
            when i connect with my cisco vpn client.. i check my ipconfig output.. cisco local adapter gets assigned my vpn's ip which is 10.10.10.0/24 though with no gateway.. but when i route print i see tht traffic destined to my lan (subnet 192.168.0.0/24) has the 10.10.10.X ip as gateway..
            On the client side...not seeing the default gateway is normal.

            Just guessing without seeing the config...perhaps you are missing "interesting traffic" specified in your encrypt acl or possibly routing. If you can post a config I'm sure we can drill down into the issue.

            Comment


            • #7
              Re: connected to vpn but cannot access internal LAN

              Hi all,

              at the moment I'm trying to get a Cisco Easy VPN Server working. I can connect and ping the local IP address of the Cisco router on which the Easy VPN Server is running, so I'm in the correct subnet. However, I cannot ping other hosts in that subnet.

              Any help is appreciated!

              Regards,

              rjh
              Last edited by rjh; 18th April 2009, 12:46.

              Comment


              • #8
                Re: connected to vpn but cannot access internal LAN

                so via the VPN, you cannot ping the lan clients ?
                are you using hostnames or ips ? i know we have to use either FQDNs or ip addresses via our vpn.

                (I also know that our vpn is broken cause of nat, but that's another issue all together.)


                of course, if you meant that when connected to the vpn, you cannot connect to a server that has a port-forwarded NAT entry, then yes, i know this issue.. but havne't been bale to resolve it yet
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: connected to vpn but cannot access internal LAN

                  When you run a tracert to an internal ip address is it going through the vpn interface or the physical NIC interface?

                  Comment


                  • #10
                    Re: connected to vpn but cannot access internal LAN

                    Thanks for your soon replies. I did some small tests, but first I'll give you my network scenario.

                    VPN connection initiator IP address: 192.168.200.110
                    Cisco 871 WAN IP address: 192.168.200.201
                    Cisco 871 LAN IP address: 192.168.10.1
                    Cisco 871 LAN Server IP address: 192.168.10.100

                    When I set up the VPN connection to the router's WAN IP address (192.168.200.201) from a machine in the router's WAN with IP address 192.168.200.110, I can ping the router's inside interface (192.168.10.1). However, I cannot ping a server in the router's LAN subnet (i.e., with IP address 192.168.10.100). When I do a traceroute to the server's IP address, I get the following results:

                    traceroute to 192.168.10.1 (192.168.10.1), 64 hops max, 40 byte packets
                    1 192.168.200.201 (192.168.200.201) 1.835 ms 1.768 ms *
                    2 * * *
                    3 * * *
                    4 * * *

                    So it get's to the router but then it gets stuck.

                    @tehcamel, I indeed try to connect to a server (192.168.10.100) which has a portforwarded NAT entry. This means that I can connect to that server from the WAN without VPN.

                    I also found out something different. In the above scenario I set the Virtual Tunnel Interface in my Cisco router to "Unnumbered to FastEthernet4". When I change this to "Unnumbered to VLAN1", I get the following results when I do a traceroute to my server in the LAN (192.168.10.100):

                    traceroute to 192.168.10.100 (192.168.10.100), 64 hops max, 40 byte packets
                    1 192.168.10.1 (192.168.10.1) 1.848 ms 1.723 ms 1.692 ms
                    2 * * *
                    3 * * *
                    4 * * *

                    This last result seems to be better to me, because the traffic is routed to the server's default gateway, instead of to the router's WAN interface. However, from my opinion the default gateway shouldn't be mentioned in the traceroute at all. Since I'm already in the same subnet, it shouldn't have to go over the default gateway.

                    I hope you can help me to get any further with this issue.

                    Regards,

                    rjh
                    Last edited by rjh; 18th April 2009, 12:45.

                    Comment


                    • #11
                      Re: connected to vpn but cannot access internal LAN

                      What subnet mask are you using on these interfaces? Also, can you post the routing table from the router?

                      Comment


                      • #12
                        Re: connected to vpn but cannot access internal LAN

                        The VLAN1 interface has subnet mask "255.255.255.0", just as the FastEthernet4 interface. The subnet mask entered in the corresponding Easy VPN Server Group Policy is also "255.255.255.0".

                        Momentarily I have 4 NAT Translation rules:

                        192.168.10.0-192.168.10.255 -> FastEthernet 4 [Dynamic, defined by SDM]
                        192.168.10.100 (25) -> FastEthernet4 (25) [Static, User Defined]
                        192.168.10.100 (80) -> FastEthernet4 (80) [Static, User Defined]
                        192.168.10.100 (993) -> FastEthernet4 (993) [Static, User Defined]

                        I hope this is enough information for you. If not, please do not hesitate to ask!

                        Comment


                        • #13
                          Re: connected to vpn but cannot access internal LAN

                          Hi,

                          for completeness, here's also my routing table:

                          C 192.168.10.1/24 is directly connected, VLAN1
                          C 192.168.200.0/24 is directly connected, FastEthernet4
                          S* 0.0.0.0/0 [254/0] via 192.168.200.1

                          Regards,

                          rjh

                          Comment


                          • #14
                            Re: connected to vpn but cannot access internal LAN

                            Are you connecting via Cisco VPN Client. If so then you have to add a command of reverse-route on the router to enable your internal network from being accesible from the outside world

                            Comment


                            • #15
                              Re: connected to vpn but cannot access internal LAN

                              Just confirm me are you using CISCO NAC as a VPN server or not ?

                              Cheers
                              DT

                              Comment

                              Working...
                              X