Cisco EZVPN with no connection to the Enterprise Network

[Orion071]

Hi guys, I'm experiencing this problem, the application is still a pilot, it is not in production (yet), so, Can you give me a hand trying to figure out what is causing this problem?

I need to connect several remote access clients to my internal network. I'm using Cisco VPN Client 4.6.00.0045 with all those clients, and my Internet Router (Cisco 3640 Router with IOS 12.4(1a) as the EZ VPN Server.

I already configured my router as the EZ VPN Server, and I'm able to connect from all the clients to the EZVPN Server without any problem.

The only thing I'm concerned about is that, as soon as I connect the client to the VPN it loses the connection to the LAN that it is connected to (I know I can solve this problem with the "Allow Local LAN Access" option in both the Client and the Server), and then I try to ping the External Interface of the EZVPN Server and I get response, then I ping the Internal Interface of the EZVPN Server and I get response too, BUT, If I try to ping one of the internal hosts (those on the EZVPN Server's LAN) I don't get any response at all, and I don't have Internet connection too.

This is the group of commands I applied to my EZVPN Server so you can check them...

--------------------------------------------------------------------------------
aaa authentication login tme-remote-access local
crypto isakmp xauth timeout 30
crypto map vpnremotes-map client authentication list tme-remote-access

ip local pool tme-remote-pool 192.168.1.20 192.168.1.25

aaa authorization network tme-remote-access local

crypto isakmp enable
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit

crypto isakmp client configuration group tme-remote-access
key KEY01
dns X.X.X.X X.X.X.X
domain something.com
pool tme-remote-pool

crypto ipsec transform-set vpnremotes esp-3des esp-sha-hmac

crypto dynamic-map vpnremotes-map 1
set transform-set vpnremotes
reverse-route
exit

crypto map vpnremotes-map client configuration address respond
crypto map vpnremotes-map isakmp authorization list tme-remote-access
crypto map vpnremotes-map 1 ipsec-isakmp dynamic vpnremotes-map

interface f0/0
crypto map vpnremotes-map
exit

--------------------------------------------------------------------------------


I really hope you guys can give me a hand...

Thank you very much!!!!

 

[Orion071]

Hey guys...

I already solved 1 problem... I already have internet connection even if I'm connected to the VPN. I just added a couple of lines in my config.

--> access-list 110 permit ip 192.168.1.0 0.0.0.255 any <-- Just added

crypto isakmp client configuration group tme-remote-access
key KEY01
dns X.X.X.X X.X.X.X
domain something.com
pool tme-remote-pool
--> include-local-lan <-- Just added
--> acl 110 <-- Just added


That already solved my problem, but I still CAN'T connect to any of the hosts in my EZVPN Server's LAN Segment.

I'm pretty sure it is a problem with Split Tunneling, but I could't find it.

NOTE: After I did all that I tried to connect again with the Client and I got connected succesfully, and I have connection to the Internet, but I'm still not connecting to the Internal Hosts :S

Thanks in advance.



Heriberto A. Cabrera