vpn client not working...

Unanswered Question
Mar 22nd, 2007

I can connect with vpn client to my 1721 at the office, get an IP address, but I do not receive a default gateway and cannot access the office LAN from home. What is wrong with my config?


Current configuration : 3795 bytes


version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname Cerberus


boot system flash c1700-k9o3sy7-mz.122-11.T10.bin

aaa new-model



aaa group server radius RADIUS-SERVERS

server auth-port 1645 acct-port 1646


aaa authentication login LOGIN group RADIUS-SERVERS local

aaa authorization network NETGROUPAUTH local

aaa session-id common


username x password x

username x password x

clock timezone CST -6

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero



ip domain name heffnet.net

ip name-server 68.x.x.1

ip name-server 68.x.x.1

ip dhcp excluded-address

ip dhcp excluded-address


ip dhcp pool HEFFNET_LAN_POOL_1





ip audit notify log

ip audit po max-events 100

vpdn enable


vpdn-group pppoe


protocol pppoe




crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group VPNGROUP

key 8mathef8

dns 68.x.x.1

domain heffnet.net


acl 102



crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac


crypto dynamic-map DYNMAP 10

set transform-set VPNSET1



crypto map VPNCLIENTMAP client authentication list LOGIN

crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH

crypto map VPNCLIENTMAP client configuration address respond

crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP



interface Loopback0

ip address 1.1.x.x.255.255.252


interface ATM0

description Heffnet WAN/SBC DSL Interface

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 69


dsl operating-mode auto

no fair-queue


interface FastEthernet0

description Heffnet LAN Interface

ip address

ip nat inside

ip tcp adjust-mss 1452

ip policy route-map VPN_MAP

speed auto


interface Dialer69

mtu 1492

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 69

ppp chap hostname cerberus

ppp chap password xxx

ppp pap sent-username xxx@sbcglobal.net password xxx



ip local pool VPN_CLIENT_POOL

ip nat inside source list INTERNAL interface Dialer69 overload

ip nat inside source static tcp 3389 interface Dialer69 3389

ip nat inside source static tcp 5901 interface Dialer69 5901

ip nat inside source static tcp 5801 interface Dialer69 5801

ip nat inside source static tcp 20 interface Dialer69 20

ip nat inside source static tcp 21 interface Dialer69 21

ip nat inside source static tcp 22000 interface Dialer69 22000

ip nat inside source static udp 22000 interface Dialer69 22000

ip nat inside source static udp 21 interface Dialer69 21

ip nat inside source static udp 20 interface Dialer69 20

ip classless

ip route Dialer69

ip route Loopback0

no ip http server



ip access-list extended INTERNAL

permit ip any



access-list 102 permit ip any


route-map VPN_MAP permit 10

match ip address 101

set ip next-hop


alias exec s show ip interface brief

alias exec sr show running-config


line con 0

privilege level 15

logging synchronous

line aux 0

privilege level 15

line vty 0 4

privilege level 15

line vty 5 15

privilege level 15


scheduler allocate 4000 1000


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
matt_heff Thu, 03/22/2007 - 20:09

almost forgot...

i have this in my config as well -

access-list 102 permit ip

Kamal Malhotra Fri, 03/23/2007 - 07:20

Hi Matt,

Please configure the following commands and let me know how it goes.

access-list 105 permit ip

route-map policy permit 10

match add 105

set ip next-hop


interface FastEthernet0

ip policy route-map policy



Please rate if it helps,



ggilbert Fri, 03/23/2007 - 04:32


Seems like your NAT is not configured properly.

Add this statement in your config.

ip access-list extended INTERNAL

10 deny ip

Let me know how it works out.




This Discussion