VPN client connects, but no traffic passes through

klkunzler · ‎03-15-2007

I have attached a PDF of my basic setup as well as a copy of my config file (2611.txt) on my 2611. The VPN client connects, but no traffic passes through the tunnel. As the end result, I want to be able to have the VPN client get an IP address from the same network (192.168.1.x) as the internal DHCP NAT clients, I want the VPN client to be able to talk to the hosts/servers on the 192.168.1.x network as well as access the internet through my 2611 router (rather than the local gateway). I realize it must be an ACL issue, but I'm having a brain-fart on how to set it up. (the 100 ACL will obviously be changed before I connect the router to my ISP). eth 0/0 is internet eth 0/1 is 192.168.1.x .

Thanks for any help and ideas.

kaachary · ‎03-16-2007

Hi,

First of all, the VPN client pool range should not be the same as Internal hosts subnet range. That highly not recommended.

Suppose you chose the client pool as 192.168.2.0/24. For internet traffic of clients to go through the router, and for clients to access 192.168.1.0/24 subnet, following changes need to be done in your config.

1: Create two ACLs

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

and

access-list 122 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 122 permit ip 192.168.2.0 0.0.0.255 any

2: Create a two loopback intf:

int loopback 1

ip address 1.1.1.1 255.255.255.0

exit

int loopback 2

ip address 2.2.2.1 255.255.255.0

ip nat inside

exit

3: Create two route-maps:

route-map polnat permit 10

match ip address 121

set ip next-hop 1.1.1.2

exit

route-map polnat2 permit 10

match ip address 122

set ip next-hop 2.2.2.2

exit

4: Apply the polcices on the LAN and WAN interfaces:

On LAN intf :

interface Ethernet0/1

no ip access-group 101 in

ip policy route-map polnat

exit

On WAN intf :

interface Ethernet0/0

ip policy route-map polnat2

exit

**************************************************************

Complicated though....but that should do it !!

*Please rate if helped.

-Kanishka

klkunzler · ‎03-16-2007

That works, almost. I can now access the 192.168.1.0/24 hosts through the VPN, however still no internet access through the VPN.

kaachary · ‎03-16-2007

Please post the updated running config.

-Kanishka

klkunzler · ‎03-16-2007

The updated config is attached (2611-update.txt)

kaachary · ‎03-16-2007

Hi,

You also have to add this statement :

access-list 1 permit 192.168.5.0 0.0.0.255

That should do it !

*Please rate if helped.

-Kanishka

njamabraasch · ‎05-23-2007

Hello -

I've tried these instructions on my 515e 6.3.3 using the command line interface in the PDM, and alot of the commands return errors.

I will definitely rate if you can help.

My inside network is 192.168.0.0 and the vpnPool is 192.168.1.0. I can make a connection when I set up using the VPN wizard, but I cannot figure out the nat configuration required to allow my VPN clients to see and be seen by the inside pool.

Can you tell me what's missing?

acomiskey · ‎05-23-2007

Your nat exemption should look something like this...

access-list nat0 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nat0