Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco VPN Client with local lan access

Status
Not open for further replies.
wampa

wampa

MIS
Aug 7, 2002
8
US
I've got my PIX 515 all set up for VPNs to both another PIX, and VPN clients. It is all working, except for one small bit - the users of the Cisco clients want to be able to access their own local lan, and the VPN lan at the same time.

I've poured over tek-tips (and search is down), and Cisco's web site all weekend, and I can't even find anything to point me in the right direction.

My config is listed below:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ********* encrypted
hostname &&&PIX
domain-name ******.org
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.0.0 stuff2
name aa.aa.193.69 stuff
access-list inside_outbound_nat0_acl permit ip 172.25.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 172.26.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 172.27.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 172.22.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 10.22.20.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.22.0.0 255.255.0.0 host stuff
access-list inside_outbound_nat0_acl permit ip 172.25.0.0 255.255.0.0 host stuff
access-list inside_outbound_nat0_acl permit ip stuff2 255.255.0.0 host stuff
access-list outside_cryptomap_20 permit ip 172.25.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list outside_cryptomap_20 permit ip 172.26.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list outside_cryptomap_20 permit ip 172.27.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list outside_cryptomap_20 permit ip 159.139.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list outside_cryptomap_20 permit ip 172.22.0.0 255.255.0.0 bbb.bbb.250.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 10.22.20.0 255.255.255.224
access-list outside_cryptomap_40 permit ip 172.22.0.0 255.255.0.0 host stuff
access-list outside_cryptomap_40 permit ip 172.25.0.0 255.255.0.0 host stuff
access-list outside_cryptomap_40 permit ip stuff2 255.255.0.0 host stuff
pager lines 24
logging on
logging console warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging host inside 172.22.12.121
logging host inside 172.22.12.138
no logging message 106010
no logging message 106011
interface ethernet0 10baset
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside ccc.ccc.ccc.6 255.255.255.0
ip address inside 172.22.20.2 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool quadpool 10.22.20.10-10.22.20.20
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
route inside 10.0.0.0 255.0.0.0 172.22.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer bbb.bbb.244.23
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer stuff
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address bbb.bbb.244.23 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address stuff netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 28800
vpngroup vpn3000 address-pool quadpool
vpngroup vpn3000 dns-server 172.27.16.100
vpngroup vpn3000 wins-server 172.27.16.100
vpngroup vpn3000 default-domain ******.org
vpngroup vpn3000 split-tunnel outside_cryptomap_dyn_20
vpngroup vpn3000 pfs
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
terminal width 80
 
Sort by date Sort by votes
HI.

What is the version of the Cisco VPN software client?
What is the client OS version?

Anyway, press "Options" - "Properties" at the VPN dialer (client), and select "Allow local LAN access".
It is disabled by default.

Or have you done that already?

Try also to play with the "Stateful Firewall" option at the client.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
The Cisco client software versions are 3.5.4 and 3.6.3. I don't have control of what version that they run. I have tested with my own equipment running 3.6.1 on XP. and So luck.

Allow Local LAN Access is checked on my setup, and Stateful Firewall is allegedly off too.

Still no access to the local LAN.
 
Upvote 0 Downvote
I am having the same problem. Did you ever come up with a solution?
 
Upvote 0 Downvote
Wampa,

Perhaps the problem is with this access-list...

access-list outside_cryptomap_dyn_20 permit ip any 10.22.20.0 255.255.255.224

Try making it more specific, for example...

access-list outside_cryptomap_dyn_20 permit ip 172.22.20.0 255.255.252.0 10.22.20.0 255.255.255.224

----

Sunyasee
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
722
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
605
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
163
WhosYourDiffie
WhosYourDiffie
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
746
Shmid
Shmid
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
507
MottoK
MottoK

Part and Inventory Search

Sponsor

Back
Top