Address Pool ins easy vpn server

Answered Question
Feb 11th, 2007


I?ve a 1721 cisco router with one adsl wic card.

This router provides me internet conection and nat(dmz servers).

Now, I need to implement with this router an easy vpn server to provide vpn conection to clients who use cisco vpn client 4.8 software.

I follow step by step the instructions to enable the server but, when the wizar tells me about an address pool...I do not know.

The router has 2 fastethernet addresses, and

My lan works whith 192.168.156.x address.

what will be the address pool?

Best regards


I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago


Configure the address pool as something different from those two networks, as I stated in my previous post.

ip local pool vpnpool

Hope this helps.



Rate this post!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ggilbert Mon, 02/12/2007 - 14:43

EzVPN can be done in two different ways.

a. Client mode

b. Network Extension Mode

In Client Mode you assign an IP address to the Easy VPN client from the EasyVPN server. So, all the internal network on the client side gets sent over through the tunnel on that IP address through PAT to the head end side.

In Network Extension mode, your local network on the client will be used instead of assigning an address from the server.

ggilbert Mon, 02/12/2007 - 14:53

So, let me know which mode you are trying to use.

Client Mode or Network Extension mode.

edgar-quintana Mon, 02/12/2007 - 15:10

As I told you.. I'm a beginner.

I'd need that the client who uses vpn client 4.8 software could browse into his/her lan and assing an ip addres of my internal range to connect to a printer..or server...but limit using IOS firewall only to a specific server o printer.

edgar-quintana Mon, 02/12/2007 - 14:55


ummmm... ummm.

I used a vpn client 4.8 softwa to connect to a cisco router running configured with easy vpn server.

Then what will be the best option? Is the first time I configure easy vpn server because of this I'm so lost... xDDD

edgar-quintana Tue, 02/13/2007 - 02:09


Thks for the link.. is wonderfull.

One question,

Following this link/manual, the router's ip address is and the lan address is address pool is

Then When a remote client connects and the system gives a ip address from the pool this ip address can not connect to the internal lan or yes?

Best regards

ggilbert Tue, 02/13/2007 - 07:04

Good question:

When the client connects to the router, there is an IPSec SA table that is created to the client address that has been assigned to the router.

In most scenarios, it is recommended to have the IP pool different from the LAN network of the router.

To answer your question, yes it will work.



Rate it, if this helps!!

edgar-quintana Tue, 02/13/2007 - 07:17



When a teleworker who uses adsl connectio at home and uses a vpn client software to connect to my lan connects the software... the router assignes a ip from the pool.

My router ip addres is primary and secondary.

If the client needs to conect only to a lan/local machine which uses an 192.168.156.x ip address.

what will be the correct adress pool or another configuration to run properly?

Best regards and thks for you time explaning me

ggilbert Tue, 02/13/2007 - 10:13

Hi, Please go back to the document that I sent to you.

It does provide you the necessary information needed.

You can configure an IP pool in the range -

or use any of the RFC 1918 address ranges apart from the one used in your internal network.

If you want, please send me your config and I will try my best to let you know what are the commands needed to get this working.

Rate this topic, if the answers helped you out.



edgar-quintana Mon, 02/26/2007 - 08:43


My fastethernet0 interface has two ip address, and like secondary.

Lan machines have ip addresses and, remote customers, at their home using remote vpn 6.8 software need to connect to an only server which has ip adress.

Then... how can I configure the router/ip pool?

best regards

Correct Answer
ggilbert Mon, 02/26/2007 - 09:02


Configure the address pool as something different from those two networks, as I stated in my previous post.

ip local pool vpnpool

Hope this helps.



Rate this post!

edgar-quintana Mon, 02/26/2007 - 11:55


It's wonderfull... it works really fine.

I've used ip range to ip pool configuration.

But although...the *.pcf file has this parameter EnableLocalLAN=1, when I connect using vnpclient, the computer disconnects from its lan.

Is possible to connect to the remote vpn and have local lan connection?

ggilbert Mon, 02/26/2007 - 12:31


Glad to know that you got it to work.

If you want to access the Local LAN when connected with the VPN client, you need to do make sure that split tunneling is enabled on the Router.

This will allow you to pass traffic to the internet and also to your local LAN while you are connected through your VPN client.

Hope this helps.

Rate this post.



Note: If you want to know how to create the split tunneling ACL, send me the config of the router.

edgar-quintana Mon, 02/26/2007 - 13:13


Tomorrow I'll try and if it works.. I'll tell you.

Thks for fast responding...

best regards

edgar-quintana Tue, 02/27/2007 - 11:54


There is my sdm config file.

The remote clients who connect using remote vpn client have to connect using the tunnel and have local connection (split tunneling).

Can you change my configuration to implement this?

Is possible to only permit this remote prifile to connect to an specific ip? ofr example only permit to connect to

best regrads

ggilbert Tue, 02/27/2007 - 15:36


access-list 140 per ip host

crypto isakmp client configuration group serlogis

acl 140

Test this out and let me know. The above example is to provide split tunneling and also to allow only the host to have access to the VPN client network.



Rate this post, if it helps!

edgar-quintana Wed, 02/28/2007 - 06:01


I?ve added this command lines to my 1721 router but it does not works.

The vpn client software reports errors connecting.

I only add this lines.

best regards

ggilbert Wed, 02/28/2007 - 07:12


Turn on the following debugs on the router

deb cry isa & deb cry ipsec.

If you are going to telnet to the router, please insert the command "term mon" to get the debugs show up on the screen.

On the client, there is a tab for Log | Log Settings, can you enable everything to 1-5 and make sure you enable the Logging on the client.

Then open the window for logging.

Connect with the client and let me know what are the results.

We can troubleshoot from there.

Hope this helps.


edgar-quintana Wed, 02/28/2007 - 07:36


today i?ll send you the changed configuration and i?ll make the probes and attach the log files

ggilbert Wed, 02/28/2007 - 09:37


You need to enable debugs on the router. Thanks for the config.

"deb cry isa" and "deb cry ipsec" are the debugs that needs to be enabled when the client is trying to connect.



edgar-quintana Wed, 02/28/2007 - 11:32

I've to delete acl 140 and the access list 140 in order to access using vpn remote client.

ggilbert Wed, 02/28/2007 - 16:03


If that would be the case, seems like the VPN client connection is getting stuck when the split tunnel ACL is being sent over to the client.

Further, in-depth troubleshooting has to be done on this issue. Please open a TAC case and one of the engineers will be able to help you out.

Sorry Edgar, troubleshooting further with access will be the best method to figure out this issue.



edgar-quintana Thu, 03/01/2007 - 05:23


Local lan is enabled.. is this option a problem?

I'll try to disable it and then add your configuration and... we'll see

edgar-quintana Mon, 03/05/2007 - 08:32


Another problem

I have a 1721 cisco router with one adsl wic installed.It has a wan address with we want to change because our ISP needs to change ....

Using SDM , which is the best way to do?If I change the ip using SDM the router will change my nat configuration from the older WAN address to the new??

Best regards


This Discussion