Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I get VPN subnet to talk to the LAN subnet? Cisco 871W

Status
Not open for further replies.
UserDude29

UserDude29

MIS
Mar 31, 2009
13
US
I have a Cisco 871W VPN router
I have two subnets that need to talk to each other

1. 192.168.10.0/24
2. 192.168.20.0/24

The first one is the LAN
The second one is the VPN

I can ping by number and name between subnets but my windows computers are not able to browse to network resources such as shared folders etc.
However, I am able to browse to my Linux shared folders.

This router had been configured by a previous person who has since left the company.

Can anyone help me figure out how to configure IPSec settings (or whatever is preventing communication) to allow my windows computers to talk nicely between

subnets.

The current config does not have a firewall enabled. But most of the services are turned off.

The VPN Config is an IPSec Site-To-Site setup.

Any help is much sought after and appreciated. Thanks!
 
Sort by date Sort by votes
okay so given the config above what command would I use to make the following changes?

FROM

192.168.10.0/24
192.168.20.0/24

TO

192.168.10.0/19
192.168.20.0/19
 
Upvote 0 Downvote
Minue---no need to pass broadcasts---the traffic is not going through the router, because the networks are directly connected.

The nonat acl needs to be

deny ip any 192.168.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

Burt
 
Upvote 0 Downvote
Burt,Am I missing something here?In his post he said it's a site-site VPN.The 192.168.10.0 is the local subnet on the 871W,then he's trying to talk to the 192.168.20.0 on the remote end.This doesn't seems like directly connected.Correct me if I am wrong.

Regards
 
Upvote 0 Downvote
Looks like a remote access to me...

Also, get rid of
acl 101
under
crypto isakmp client configuration group Default

You also need

crypto isakmp policy 1
reverse route

Burt
 
Upvote 0 Downvote
Thanks Burt!!Taking a careful look at the conf,it does look like a remote access.

UserDude29 can you please clarify if the remote clients are using cisco VPN clients to VPN into the main site.
Regards
 
Upvote 0 Downvote
Yes we use the cisco vpn client software to connect to the main site.
SDM indicates that it's a site to site setup but not sure where it says that in the config above.
Burt can you explain why the changes you suggested are necessary? Thank You.
 
Upvote 0 Downvote
thanks for all the input I tried some of the suggestions above to no avail.... i guess it's time to foot the bill and renew my support contract and get this thing reconfigured....
 
Upvote 0 Downvote
Hello
Sorry we couldn't help.Anyway Cisco isn't going to be a big help because this is a netbios thing.This protocol uses broadcast on the local subnet and it doesn't route.I did some poking around on the web,and it seems that you can use they are a few work-arounds.In any case these aren't scalable solutions,it would be best use a dedicated file server Linux or Windows2000/2003 to make your life easier.
Regards
 
Upvote 0 Downvote
you guys are probably going to be surprised but after changing the scope on the xpsp3 firewall printer and file sharing exceptions to allow any (even internet) computer to connect I was able to map to the share on the xp computer. Now, granted it is a workaround, but it works for me! So now I just have to add a host file to each of the vpn clients and everything will be as normal. Maybe they are not on two different subnets after all?

192.168.10.0/255.255.255.0
192.168.20.0/255.255.255.0

I guess this is a class C address with the 168 subnet?
DHCP on the router uses 192.168.10.120 - 192.168.10.199 for local addresses
VPN uses 192.168.20.101 - 192.168.20.110

Anyhow thanks for all your brain power in helping me think this through....
 
Upvote 0 Downvote
Hello
That's cool!But normally without opening the scope,you should be able to maps files or use the \\192.168.1.1\shares.The real problem is that you can't browse my network.
In theory you are on different subnets,but in reality the router loops the VPN subnets to allow communication with the real subnet.
Regards
 
Upvote 0 Downvote
Yes I was able to map with the number but that wont work for the current setup so host file is the way to go...thanks again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
99
badwolf1686
B
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
402
madwok
madwok
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
427
nt8d09
nt8d09
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
551
BIS
BIS
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
424
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top