VPN client connects, but no traffic passes through

Unanswered Question
Mar 15th, 2007

I have attached a PDF of my basic setup as well as a copy of my config file (2611.txt) on my 2611. The VPN client connects, but no traffic passes through the tunnel. As the end result, I want to be able to have the VPN client get an IP address from the same network (192.168.1.x) as the internal DHCP NAT clients, I want the VPN client to be able to talk to the hosts/servers on the 192.168.1.x network as well as access the internet through my 2611 router (rather than the local gateway). I realize it must be an ACL issue, but I'm having a brain-fart on how to set it up. (the 100 ACL will obviously be changed before I connect the router to my ISP). eth 0/0 is internet eth 0/1 is 192.168.1.x .

Thanks for any help and ideas.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
kaachary Fri, 03/16/2007 - 02:21

Hi,

First of all, the VPN client pool range should not be the same as Internal hosts subnet range. That highly not recommended.

Suppose you chose the client pool as 192.168.2.0/24. For internet traffic of clients to go through the router, and for clients to access 192.168.1.0/24 subnet, following changes need to be done in your config.

1: Create two ACLs

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

and

access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 122 permit ip 192.168.2.0 0.0.0.255 any

2: Create a two loopback intf:

int loopback 1

ip address 1.1.1.1 255.255.255.0

exit

int loopback 2

ip address 2.2.2.1 255.255.255.0

ip nat inside

exit

3: Create two route-maps:

route-map polnat permit 10

match ip address 121

set ip next-hop 1.1.1.2

exit

route-map polnat2 permit 10

match ip address 122

set ip next-hop 2.2.2.2

exit

4: Apply the polcices on the LAN and WAN interfaces:

On LAN intf :

interface Ethernet0/1

no ip access-group 101 in

ip policy route-map polnat

exit

On WAN intf :

interface Ethernet0/0

ip policy route-map polnat2

exit

**************************************************************

Complicated though....but that should do it !!

*Please rate if helped.

-Kanishka

klkunzler Fri, 03/16/2007 - 07:27

That works, almost. I can now access the 192.168.1.0/24 hosts through the VPN, however still no internet access through the VPN.

kaachary Fri, 03/16/2007 - 13:40

Hi,

You also have to add this statement :

access-list 1 permit 192.168.5.0 0.0.0.255

That should do it !

*Please rate if helped.

-Kanishka

njamabraasch Wed, 05/23/2007 - 08:56

Hello -

I've tried these instructions on my 515e 6.3.3 using the command line interface in the PDM, and alot of the commands return errors.

I will definitely rate if you can help.

My inside network is 192.168.0.0 and the vpnPool is 192.168.1.0. I can make a connection when I set up using the VPN wizard, but I cannot figure out the nat configuration required to allow my VPN clients to see and be seen by the inside pool.

Can you tell me what's missing?

acomiskey Wed, 05/23/2007 - 09:04

Your nat exemption should look something like this...

access-list nat0 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nat0

Actions

This Discussion