03-10-2007 10:21 PM
Setup
-871 EasyVPN Remote (client mode)connecting to VPN3000
-tunnel comes up fine
-loopback gets an ip from VPN3000 LAN side
-can ping from loopback int to hosts on 3000 LAN side just fine
-cant ping from any other interface
-vlan1 is inside easyVPN, fast4 is outside easyVPN
how do you I get the packets to be translated to the ip on the loopback interface in order to travel through the tunnel? Supposedely, easyvpn is supposed to setup NAT/PAT for you.
03-11-2007 01:42 AM
yes, easy vpn supports NAT/PAT. ping from router may not work cause that traffic is not uing the tunnel. you will need to ping from a host connected to the 871. If you nat and easy vpn is configured correctly then it should all work.
http://www.cisco.com/en/US/products/ps6635/products_data_sheet09186a00801541d5.html
03-11-2007 11:27 AM
I tried to ping from a client connected to the 871. it doesnt work. The only ping that will work is from the loopback interface that has the ip given to it from the 3000. This makes sense of course because the IP is on the same subnet as the LAN side of the 3000.
You said that easyvpn supports NAT, but do you have to explicitly configure it when in client mode or does easyvpn configure it for you?
Here is my config for the 871
03-11-2007 03:15 PM
hi,
your config looks fine. You might need to check the policy on the concentrator. Are you tunneling everything or are you doing split tunnelling. You can check the policy the 871 is receiving using "show crypto ipsec client ezvpn"
03-11-2007 04:01 PM
i did the show crypto ipsec client ezvpn and it doesnt show anything about a policy or anything. It shows what interfaces are inside/outside, current peer, current state = active, dns servers, tunnel name...
It saids nothing of a policy or whats be tunneled.
Does split tunneling cause problems?
03-12-2007 03:40 AM
"show crypto ipsec client ezvpn" should show you what settings the 871 is receiving from the concentrator. If you are using split tunneling then the above command should show you what addresses will be tunneled e.g. following line might appear in output of above command
Split Tunnel List: 1
Address : 192.168.200.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Check your config on the concentrator.
03-13-2007 12:39 AM
guess Im not using split tunneling because I'm not seeing that when i issue that command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide