VPN routing issue

[736xl]

I am not able to see the network when connected with Cisco VPN.
My internal network is 192.168.0.x, VPN gives 192.168.16.100-110 IP address.

When connected, I receive a correct address but I can't ping anything on the 0.x subnet.

Help would be greatly appreciated

 

[brianinms]

You have to have split tunneling enabled on the cisco device.

 

[736xl]

any chance you could give me the commands to enable the the split tunnel. Thanks in advance.

 

[736xl]

braninms,

come to think of I don't think I need the split tunnel enable. I am not trying to get outside on the internet. All I want is to get to the main subnet. I though Cisco recoments to have the vpn IP Pool on a different subnet as the main network for conflict purposes. I don't see why I can't put the VPN ip dhcp on the same subnet. no routing would be necessary.

Thanks

 

[brianinms]

Wait sorry, I read your post wrong. Post a copy of your config.

 

[736xl]

here is my show run

Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username: admin
Password:
Building configuration...

Current configuration : 5614 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xxx local
aaa authorization exec default local
aaa authorization network xxx local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -7
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.151 192.168.0.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 68.2.16.30 68.1.208.30
default-router 192.168.0.1
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 68.2.16.30
ip name-server 68.1.208.30
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-89247421
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-89247421
revocation-check none
rsakeypair TP-self-signed-89247421
!
!
crypto pki certificate chain TP-self-signed-89247421
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38393234 37343231 301E170D 30323033 30313030 30353233
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D383932 34373432
3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100E4A6
87A95BFA A7126A60 4DE967A4 729D5C53 6D9AB1C0 F8FB2EBA 6E9ABD3A 655DDAE6
F3A5F18C 2BB73324 E1FA2A23 5A5BE571 7211C149 84C8F6C5 347E6EF0 6E40C605
B725A75D A5DD23A1 11EECEB5 FD39D165 5EC1C93B FEBFD048 9989A77A 3E0CF72B
A0F7D15E EEA87852 C8E7A1A9 D7FB0367 484521A6 83DE09DB E8C9B831 C7350203
010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603 551D1104
20301E82 1C637265 61746976 65736F75 6E642E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 80147FFA D364186E D512EF14 B92338DD F499B8F4
9108301D 0603551D 0E041604 147FFAD3 64186ED5 12EF14B9 2338DDF4 99B8F491
08300D06 092A8648 86F70D01 01040500 03818100 148C7600 9CEE07F8 648E7582
DCCD8A6B 1A76ABA4 7EDA97E9 9AB1EC7A 62CA66D9 1A520B3C 77EB39F6 6339EEE9
EC2AF098 1E99200D 1C9B5AF5 82229357 22A5C7D6 40437D1B 7AACB99C E2151568
AFC561B9 10F96E16 E45E4E11 4A9A890B BE845F99 0794C043 CA29F3ED A8DAAC24
7B6D7AB2 B18CCF7A ED0295E2 96EF21EE 587CF3BD
quit
username xxx privilege 15 secret 5 xxxxx
username xxx password 7 xxxxx
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxx
key xxxx
dns 68.2.16.25
wins 192.168.0.1
pool ippool
acl 111
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 10
set transform-set 3DES-MD5
!
!
crypto map mymap client authentication list xxxx
crypto map mymap isakmp authorization list xxxx
crypto map mymap client configuration address respond
crypto map mymap 65000 ipsec-isakmp dynamic dynamic
!
!
!
interface Loopback1
ip address 3.3.3.1 255.255.255.252
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 24.249.178.140 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1380
!
ip local pool ippool 192.168.16.16 192.168.16.22
ip classless
ip route 0.0.0.0 0.0.0.0 24.249.178.129
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.170 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.0.170 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.0.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.0.5 25 interface FastEthernet4 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
no cdp run
route-map redirect permit 10
match ip address 112
set ip next-hop 3.3.3.2
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[brianinms]

You need to change ACL 101 to the following

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

 

[736xl]

Brianinms,

Thanks for your post and info. I've had that before and it didn't work. I've placed the ACL back but still doesn't work. I think there is routing issues. If I do a traceroute, I can't even get out of that subnet. i.e if I do a traceroute to 192.168.0.1, I get *.

Thanks again.

 

[burtsbees]

What about just putting the VPN pool in the same pool as the dhcp given addresses, but use a route map to NAT, and deny the vpn part in the route map so they don't get routed? That's what I do, and it works fine, but maybe I'm missing something here. Just a suggestion...

Burt