03-26-2007 02:10 PM - edited 02-21-2020 02:56 PM
I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.
Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.
I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?
Here is my relevant config..
ip local pool vpnpool 10.0.0.31-10.0.0.35 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside x.x.x.x 255.255.255.224 10.0.0.27 1
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac
crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ErieSet
crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset
crypto map ErieMap 10 ipsec-isakmp dynamic dynmap
crypto map ErieMap client configuration address respond
crypto map ErieMap client authentication RADIUS
crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap
crypto map Eriemap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup WestTownVPN address-pool vpnpool
vpngroup WestTownVPN dns-server 10.0.1.100 10.0.0.4
vpngroup WestTownVPN wins-server 10.0.0.4
vpngroup WestTownVPN default-domain mydomain.com
vpngroup WestTownVPN split-tunnel UserVPN
vpngroup WestTownVPN idle-time 1800
vpngroup WestTownVPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
03-27-2007 12:49 AM
Hi,
What is in the UserVPN access-list?
This determines what should go through the tunnel from the client.
Also what is the exact routing and NAT 0 config?
Is there any ?
03-27-2007 03:51 AM
You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.
You need to add the following commands to your configuration:
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list nonat
Please rate if the post helps!
Regards,
Michael
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: