How do I get VPN subnet to talk to the LAN subnet? Cisco 871W

[UserDude29]

I have a Cisco 871W VPN router
I have two subnets that need to talk to each other

1. 192.168.10.0/24
2. 192.168.20.0/24

The first one is the LAN
The second one is the VPN

I can ping by number and name between subnets but my windows computers are not able to browse to network resources such as shared folders etc.
However, I am able to browse to my Linux shared folders.

This router had been configured by a previous person who has since left the company.

Can anyone help me figure out how to configure IPSec settings (or whatever is preventing communication) to allow my windows computers to talk nicely between

subnets.

The current config does not have a firewall enabled. But most of the services are turned off.

The VPN Config is an IPSec Site-To-Site setup.

Any help is much sought after and appreciated. Thanks!

 

[brianinms]

You need to add WINS

 

[UserDude29]

I don't think it's a name resolution thing because even when I try to map by IP (which I can ping from the other subnet) it can not find the host. I've added host names and numbers to my hosts file and I can ping by name now but still can't browse to it. what will wins do that dns doesn't? I don't have a wins server, I'll try enabling netbios over tcp/ip....

 

[brianinms]

You will have to post the configuration from both devices to be able to assist you further. By default piped names such as file shares use WINS and the netbois and not DNS.

 

[Minue]

Hello
You will have to play around with the ip address-helper command.

Regards

 

[UserDude29]

Okay, that makes sense, I'll look into those things. This just popped into my head. What if I just change the subnet mask for the DHCP scope from 255.255.255.0 to 255.255.0.0? Or will that cause problems by expanding the broadcast domain? It's a very small network < 35 users on the LAN and < 10 users on VPN at any one time....

 

[Minue]

Hello
No need to to change the scope.The reason for the Ip address-helper command is to get the router to send netbios packets which are use to browse the network.
Regards

 

[North323]

are these remote IP addresses for their respecitve LAN? are these natted somewhere? what does your access list look like to allow UNC?

 

[UserDude29]

Well what is really weird is that after I connect the VPN I can connect to the windows server (actually xp pro) with remote desktop connection just fine. but can't browse to any share on the server.....
NAT has been configured at some level but not sure at what level... the UNC path fails.
For some reason I am a little weary of posting the config of the router, security concerns.....

 

[burtsbees]

Make sure the VPN subnet(s) is/are excluded from the NAT acl/route map. That's what the problem sounds like to me...

Burt

 

[Minue]

Hi Burt
It's the "Ip helper" thing.If you connect 2 subnets with a router it will block the netbios port.The same is valid for going across the WAN.
Regards

 

[UserDude29]

So I looked for the 'IP helper' command and there doesn't appear to be a command like that. I am running IOS 12.4(4)T7. Does my version of IOS support that command?

 

[silverhairb]

Am I missing something or is it as easy as changing the net mask to 255.255.128.0 or something like that?

[the other] Bill

 

[Minue]

Sorry the 'IP helper' was for Burt.I did wrote the right command in the my former post:

ip address-helper

Sorry again.

 

[UserDude29]

That command didn't work either with syntax: ip address-helper
It returned this comment: Invalid input detected at '^' marker.
Then it put a ^ under the 'p' in 'ip'....
So I don't think it likes that command....

 

[UserDude29]

By the way, anyone know what exactly the negative effects might be if I change the net mask like silverhairb had mentioned? Usually the easy fixes cause bigger headaches....

 

[UserDude29]

Okay I'm going to venture outside my comfort zone and post the config, all the uniquely identifiable information has been *'d out just in case there is

anyone out there that has a mean streak in them....
I'm assuming that the issue has something to do with the line that says:

'ip access-list extended nonat
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255'

just glancing at it it looks like that might be a problem but I'm no expert at this stuff (maybe someday)
here's the config.....Any insight would be Awsome! Thanks in advance!

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.04.02 11:37:45 =~=~=~=~=~=~=~=~=~=~=~=
login as: *****
CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!*****@*s password:

*****#show config
Using ***** out of ***** bytes
!
! Last configuration change at 15:07:40 PCTime Sun Mar 22 2009 by *****
! NVRAM config last updated at 15:07:53 PCTime Sun Mar 22 2009 by *****
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret ******
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login *****
aaa authentication login *****
aaa authentication login *****
aaa authentication login *****
aaa authorization *****
aaa authorization *****
aaa authorization *****
aaa accounting *****
rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone *****
clock summer-time ***** date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.119
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1 ***** *****
default-router *****
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server *****
ip name-server *****
ip name-server *****
ip name-server *****
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint *****
enrollment selfsigned
subject-name cn=*****
revocation-check none
rsakeypair *****
!
!
crypto pki certificate chain *****
certificate self-signed 01 nvram:*****
username *****
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Default
key *****
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group Default
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address *****
ip access-group sdm_fastethernet4_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid *****
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *****
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel *****
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1200
bridge-group 1
!
interface Dialer0
no ip address
no cdp enable
!
interface BVI1
description $ES_LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
ip local pool SDM_POOL_1 192.168.20.101 192.168.20.110
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list nonat interface FastEthernet4 overload
!
ip access-list extended nonat
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
remark
deny ip host 192.168.1.3 any
permit ip any any
permit esp any any
permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175027
ntp server 64.202.112.75 source BVI1
end

 

[silverhairb]

I can't think of any negative effects. But the net mask needs to be changed in the clients as well. That way they will know that the .10 and .20 devices are on the same subnet.

[the other] Bill

 

[silverhairb]

I have to follow-up the previous post by saying that I've never worked with VPNs.

That said, you could define the two as:

192.168.10.0/19
192.168.20.0/19



[the other] Bill

 

[Minue]

Hello
The command is an interface command.You need to put it under the interface that will turn the broadcast into a unicast and send it to the remote router,may need to do it on both sides.


Router(config-if)ip helper-address


Regards