Cisco VPN connects but cannot access internal resources
I had a problem recently where I was configuring a new VPN for remote access. The Cisco VPN client will connect successfully. However, I could not access any resources on the local network behind the firewall.
The termination point was an older PIX 515 running IOS 8.0. I was using the latest Cisco VPN Client, which was running on Windows 8.1.
In my particular case, I had the following line in my config:
No ISAKMP NAT-TRAVERSAL encryption
This line was on its own preventing me from accessing the internal LAN resources. To fix this, I entered the following commands:
30 – CDs
What this line does is allow VPN users, connecting from behind their own firewall, to traverse multiple levels of NAT and access the remote subnet.
The number 30 is the survival value and is specified in seconds. The default value is 20 and can be set up to an hour.
You may need to disconnect and reconnect your VPN client for this to take effect.
It is rare for this command to be set to NO. So, I thought I would include some other common causes for this problem.
The first thing to check is that your VPN client is receiving an IP address. He runs IPCONFIG From the command line at the problem workstation. It should receive the IP address and subnet mask from the IP LOCAL POOL you specified. If the attributes are not checked on the set of remote access tunnels. You should see a line saying something like this.
ADDRESS-POOL <اسم تجمع IP المحلي الخاص بك>
If not, be sure to add it.
Note: It is a best practice for VPN clients to receive an IP address from a different subnet than your internal subnet.
Next, make sure that your NAT statements are present and correct. Your config should contain a line that reads something like this:
NAT (inside) 0 access list <اسم قائمة الوصول>
Regular NAT statements will have a number “1” after the interface name. These are the networks that will receive network address translation. However, in our example we have a number “0”. This means that everything in our access list will not be translated.
From here, check the access list indicated by the NAT statement. It should contain the PERMIT statement, allowing VPN traffic to reach the internal LAN. You should have one that reads something similar to this:
Access List <اسم قائمة الوصول> ip extended authorization <الشبكة الداخلية> <قناع داخلي> <شبكة VPN> <قناع VPN>
ACCESS-LIST NoNAT Extended Permission ip 192.168.1.0 255.255.255.0 192.168.199.0 255.255.255.0
As long as you have an access list, implement this with a NAT gateway, run the NAT traversal, and receive an IP address, you should be able to browse the resources behind the internal interfaces.
As usual, I’d love to hear from you. So, if there is anything else that could be a common reason for Client VPN traffic not flowing, be sure to leave a comment!