VPN client connects, but no traffic passes through

Unanswered Question
Mar 15th, 2007
User Badges:

I have attached a PDF of my basic setup as well as a copy of my config file (2611.txt) on my 2611. The VPN client connects, but no traffic passes through the tunnel. As the end result, I want to be able to have the VPN client get an IP address from the same network (192.168.1.x) as the internal DHCP NAT clients, I want the VPN client to be able to talk to the hosts/servers on the 192.168.1.x network as well as access the internet through my 2611 router (rather than the local gateway). I realize it must be an ACL issue, but I'm having a brain-fart on how to set it up. (the 100 ACL will obviously be changed before I connect the router to my ISP). eth 0/0 is internet eth 0/1 is 192.168.1.x .


Thanks for any help and ideas.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
kaachary Fri, 03/16/2007 - 02:21
User Badges:
  • Cisco Employee,

Hi,


First of all, the VPN client pool range should not be the same as Internal hosts subnet range. That highly not recommended.


Suppose you chose the client pool as 192.168.2.0/24. For internet traffic of clients to go through the router, and for clients to access 192.168.1.0/24 subnet, following changes need to be done in your config.


1: Create two ACLs


access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255


and


access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 122 permit ip 192.168.2.0 0.0.0.255 any


2: Create a two loopback intf:


int loopback 1

ip address 1.1.1.1 255.255.255.0

exit


int loopback 2

ip address 2.2.2.1 255.255.255.0

ip nat inside

exit


3: Create two route-maps:


route-map polnat permit 10

match ip address 121

set ip next-hop 1.1.1.2

exit


route-map polnat2 permit 10

match ip address 122

set ip next-hop 2.2.2.2

exit


4: Apply the polcices on the LAN and WAN interfaces:


On LAN intf :


interface Ethernet0/1

no ip access-group 101 in

ip policy route-map polnat

exit


On WAN intf :


interface Ethernet0/0

ip policy route-map polnat2

exit

**************************************************************


Complicated though....but that should do it !!


*Please rate if helped.


-Kanishka

klkunzler Fri, 03/16/2007 - 07:27
User Badges:

That works, almost. I can now access the 192.168.1.0/24 hosts through the VPN, however still no internet access through the VPN.

kaachary Fri, 03/16/2007 - 08:17
User Badges:
  • Cisco Employee,

Please post the updated running config.


-Kanishka

kaachary Fri, 03/16/2007 - 13:40
User Badges:
  • Cisco Employee,

Hi,


You also have to add this statement :


access-list 1 permit 192.168.5.0 0.0.0.255


That should do it !


*Please rate if helped.


-Kanishka



njamabraasch Wed, 05/23/2007 - 08:56
User Badges:

Hello -


I've tried these instructions on my 515e 6.3.3 using the command line interface in the PDM, and alot of the commands return errors.


I will definitely rate if you can help.


My inside network is 192.168.0.0 and the vpnPool is 192.168.1.0. I can make a connection when I set up using the VPN wizard, but I cannot figure out the nat configuration required to allow my VPN clients to see and be seen by the inside pool.


Can you tell me what's missing?

acomiskey Wed, 05/23/2007 - 09:04
User Badges:
  • Green, 3000 points or more

Your nat exemption should look something like this...


access-list nat0 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nat0

Actions

This Discussion