VPN Question

[Udgnim]

a VPN connection is being made to a Cisco router with Cisco's VPN client program

access to the 192.168.1.0/24 network is possible through the VPN, but trying to access a different internal network through the VPN is not possible

I'm guessing the reason for this is because the user's default gateway is being used to try to find a route to that different internal network instead of the gateway for the 192.168.1.0/24 network accessed via VPN.

is there a way to change the default gateway to that of the 192.168.1.0/24 network when using the VPN? thanks

 

[Qrilock]

The second internal network is either not in the tunneled networks ACL on the router, there is not a proper nat exemption for the second network, or the second network does not have a route to the vpn subnet...
At least those are what I would look for first...

 

[Lithium381]

check your Access lists

 

[Udgnim]

I believe these are settings that the VPN is using

crypto isakmp client configuration group FILLER
key FILLER
dns 192.168.1.1
pool SDM_POOL_1
acl 105
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group FILLER
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 3

I also added the below permit statement to the top of access-list 105

access-list 105 permit ip any any

ip local pool SDM_POOL_1 192.168.1.230 192.168.1.239
ip forward-protocol nd

interface Virtual-Template3 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly

I'm reading that "ip unnumbered" allows an unnumbered interface to borrow the IP address of another interface already configured on the router and that "ip virtual-assembly" is something that helps deal with fragmented traffic being sent through VPN.

Some additional information would be that the 192.168.1.0/24 network represents a network in the office network and the other network I'd like to access through the VPN is on a colocation. The office network is connected to the colo network through a different VPN connection.

After adding the "permit ip any any," I am still unable to access colo network. Thanks for any help.

 

[imagoon]

I am pretty sure you are modifying the wrong ACL. Check the split tunnel ACL's etc. You can only access the IP ranges that the VPN ACLs (not interface ACLs) allow.

 

[Qrilock]

your ip access list 105 determines what subnets are tunneled across the VPN link. If you wanted 192.168.1.0/24 and 192.168.2.0/24 accessible from your remote access vpn, ACL 105 should look like this:

ip access-list extended 105
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any

You also need to make sure that NAT is being denied between the two subnets on both the router in your office as well as the router in the COLO.
Since you are trying to traverse 2 VPN tunnels you may want to think about changing the VPN IP pool to something other than your office subnet. I have personally had some periodic issues assigning addresses from my local subnet to VPN clients (probably due to something I am missing, still so much to learn) This will also allow you to remove the virtual template portion of the configuration, simplifying the overall config.