VPN clients unable to talk to internal networks

S Reese · Guest

Remote clients (on 192.168.0.X) can connect to a router fine, the VPN
clients cannot access any of the internal networks though. The only
interface they can ping is 172.16.2.1.

Here's a look at the config:

!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3725router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$BUZ8$
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate slot 2
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.2.1
ip dhcp excluded-address 172.16.3.1
ip dhcp excluded-address 172.16.3.100 172.16.3.150
!
ip dhcp pool VLAN2clients
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 205.152.144.23 205.152.132.23
!
ip dhcp pool VLAN3clients
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 205.152.144.23 205.152.132.23
!
!
ip domain name neocipher.net
ip name-server 205.
ip name-server 205.
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group L2TP_VPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-995375956
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-995375956
revocation-check none
rsakeypair TP-self-signed-995375956
!
!
crypto pki certificate chain TP-self-signed-995375956
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D
43657274
69666963 6174652D 39393533 37353935 36301E17 0D303230 33303130
36313133
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403
1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939
35333735
39353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100
CF80B9FF 105E6689 8ECB41A9 A433EA68 9142AC1C 27941675 D8308151
4C68D1E8
A13039C9 75CBB9B3 C5078A7B FF67D8C0 FC1EBBF8 0C17EE00 BCA4056E
1903F769
0C21CAB6 D04CCAAA 73D4F744 523FE2B1 0E2AC55C F85A6896 347328B1
504B8A05
FAA9C1DF 31786DA6 3F64652C 9AE3B1C5 5E69122C 748160E3 818F110F
3978F0FF
02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023
0603551D
11041C30 1A821833 37323572 6F757465 722E6E65 6F636970 6865722E
6E657430
1F060355 1D230418 30168014 FC48BF7D 9B97167A 41CF22FD 013C798A
154EC666
301D0603 551D0E04 160414FC 48BF7D9B 97167A41 CF22FD01 3C798A15
4EC66630
0D06092A 864886F7 0D010104 05000381 8100CA4B 1A56F508 476C297C
32C830F2
21EBA101 A3D47202 7DD7FCB8 E91911EF 6EFC8095 0AA1B548 14468A43
41A8E271
176CC0F1 C576F65F 125A2A64 785149D9 1A302553 37E59C30 B59CEF3D
C63E5019
8897B79D C3DA4587 5EF1BC45 B10CB03C 0BFC1E1F 0AF2DF66 16653E18
5E2FC795
5D9BB821 85471E48 C34845A2 1BE83EAF F58D
quit
username rsreese privilege 15 secret 5 $1$k.mV$
username test password 7 120D0
!
!
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mskey address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group VPN-Users
key test00
dns 205.152.144.23 205.152.132.23
domain neocipher.net
pool VPN_POOL
include-local-lan
max-logins 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile 65535
set transform-set ESP-3DES-SHA
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map SDM_CMAP_1
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.20.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address pool PPTP-POOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2 ms-chap chap
!
ip local pool PPTP-POOL 172.16.20.25 172.16.20.35
ip local pool VPN_POOL 192.168.0.50 192.168.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet0/0 overload
!
ip access-list extended LAN_IN
permit ip host 192.168.0.51 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any
deny ip any any log
!
access-list 111 permit ip 172.16.0.0 0.0.255.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 05080F1C2243
transport input ssh
line vty 5 903
transport input ssh
!
ntp clock-period 17180663
ntp server 129.6.15.29 source FastEthernet0/0 prefer
!
end

S Reese · Guest

On Jan 11, 2:22 pm, S Reese <rsre...@gmail.com> wrote: