Cisco VPN Client to Router, cannot see internal LAN

[trismegistus]

Hi


I am connecting to a 2621XM router over dial-up, using the Cisco vpn client. I can connect and I can ping the internal router interface, but I can't do anything else on the local LAN. I cannot http into the router and cannot get to an ftp server internally.

This is a simple setup as its only a test network. There are two internal machines with static IP and the client gets a third address from within the same subnet as the two machines.

I have seen similar problems to mine but they don't seem to have an answer that works for me. I have posted this problem elsewhere and got zero replies, so any help/suggestions at all would be really appreciated.

 

[ChicagoTechNet]

sounds like name resolution issue. quoted from

http://www.chicagotech.net/

How to add DNS and WINS into your Cisco VPN server

If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and vpdn group 1 client configuration wins winsservername..


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ms-mvps.com

 

[trismegistus]

Hi chicagotechnet

It keep coming back to wins. I have been told by someone at Cisco that this may be the issue, but why would I not be able to ping by IP address? Surely there are small companys that don't use wins servers?

The comment I got from Cisco was that the chap there didn't have this problem as he used Linux! So he isn't using wins either. It gets more confusing.

 

[ChicagoTechNet]

OK, if you can't ping the ip, this could be the routing issue. PIX must point to the inside LAN.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ms-mvps.com

 

[chicocouk]

There is no PIX in this scenario.

The problem here is that you are bringing the vpn client in on the same subnet as the local lan. You're not supposed to do that. You should bring it in on a different (private) range, and if necessary, configure acls to allow traffic between those two ranges.

This doc gives an example;

http://www.cisco.com/en/US/products...s_configuration_example09186a00801c4246.shtml

The thing to notice here is that the local range behind the router is 14.38.0.0/16 but the vpn client users are brought in onto a range of 14.1.1.100 - .200 (look for the "ip local pool ippool 14.1.1.100 14.1.1.200" command in the config. That's the range they come in on.

You don't have a wins problem, you have a routing issue. If you change that one line in your config, depending on your acls, things will probably work fine.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[trismegistus]

Hi chicocouk

Thanks for that, thanks everyone for that matter.

Just one more question. If I use access-lists to allow traffic between the two pools of addresses, where would I apply my access-list?

In return you can ask me any question about the CCSP exams and i'll help. I finished it last month (yeah, I know I should have known this one myself but what can I say)