VPN client connects, but no traffic passes through

Unanswered Question
Mar 15th, 2007

I have attached a PDF of my basic setup as well as a copy of my config file (2611.txt) on my 2611. The VPN client connects, but no traffic passes through the tunnel. As the end result, I want to be able to have the VPN client get an IP address from the same network (192.168.1.x) as the internal DHCP NAT clients, I want the VPN client to be able to talk to the hosts/servers on the 192.168.1.x network as well as access the internet through my 2611 router (rather than the local gateway). I realize it must be an ACL issue, but I'm having a brain-fart on how to set it up. (the 100 ACL will obviously be changed before I connect the router to my ISP). eth 0/0 is internet eth 0/1 is 192.168.1.x .

Thanks for any help and ideas.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
kaachary Fri, 03/16/2007 - 02:21


First of all, the VPN client pool range should not be the same as Internal hosts subnet range. That highly not recommended.

Suppose you chose the client pool as For internet traffic of clients to go through the router, and for clients to access subnet, following changes need to be done in your config.

1: Create two ACLs

access-list 121 permit ip


access-list 122 deny ip

access-list 122 permit ip any

2: Create a two loopback intf:

int loopback 1

ip address


int loopback 2

ip address

ip nat inside


3: Create two route-maps:

route-map polnat permit 10

match ip address 121

set ip next-hop


route-map polnat2 permit 10

match ip address 122

set ip next-hop


4: Apply the polcices on the LAN and WAN interfaces:

On LAN intf :

interface Ethernet0/1

no ip access-group 101 in

ip policy route-map polnat


On WAN intf :

interface Ethernet0/0

ip policy route-map polnat2



Complicated though....but that should do it !!

*Please rate if helped.


klkunzler Fri, 03/16/2007 - 07:27

That works, almost. I can now access the hosts through the VPN, however still no internet access through the VPN.

kaachary Fri, 03/16/2007 - 13:40


You also have to add this statement :

access-list 1 permit

That should do it !

*Please rate if helped.


njamabraasch Wed, 05/23/2007 - 08:56

Hello -

I've tried these instructions on my 515e 6.3.3 using the command line interface in the PDM, and alot of the commands return errors.

I will definitely rate if you can help.

My inside network is and the vpnPool is I can make a connection when I set up using the VPN wizard, but I cannot figure out the nat configuration required to allow my VPN clients to see and be seen by the inside pool.

Can you tell me what's missing?

acomiskey Wed, 05/23/2007 - 09:04

Your nat exemption should look something like this...

access-list nat0 permit ip

nat (inside) 0 access-list nat0


This Discussion