03-26-2007 02:10 PM - edited 02-21-2020 02:56 PM
I've setup a remote access VPN and everything seems to connect just fine, and I receive an IP address from the address pool, however, I cannot access ANY resources on the network. The only thing I can ping is myself.
Also, I'm not getting a default gateway on the VPN adapter once I connect to the VPN. A gateway shouldn't be needed, as I'm trying to access resources in the same subnet as the ip pool, but I should still be able to specify a gateway.
I've been reading on here that it assigns the lowest IP in the subnet of the IP pool, but can I specify a gateway instead?
Here is my relevant config..
ip local pool vpnpool 10.0.0.31-10.0.0.35 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside x.x.x.x 255.255.255.224 10.0.0.27 1
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ErieSet esp-3des esp-md5-hmac
crypto ipsec transform-set Tunnel-Set-Info esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ITVPNset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ErieSet
crypto dynamic-map ITVPNmap 10 set transform-set ITVPNset
crypto map ErieMap 10 ipsec-isakmp dynamic dynmap
crypto map ErieMap client configuration address respond
crypto map ErieMap client authentication RADIUS
crypto map Eriemap 10 ipsec-isakmp dynamic ITVPNmap
crypto map Eriemap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup WestTownVPN address-pool vpnpool
vpngroup WestTownVPN dns-server 10.0.1.100 10.0.0.4
vpngroup WestTownVPN wins-server 10.0.0.4
vpngroup WestTownVPN default-domain mydomain.com
vpngroup WestTownVPN split-tunnel UserVPN
vpngroup WestTownVPN idle-time 1800
vpngroup WestTownVPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
03-27-2007 12:49 AM
Hi,
What is in the UserVPN access-list?
This determines what should go through the tunnel from the client.
Also what is the exact routing and NAT 0 config?
Is there any ?
03-27-2007 03:51 AM
You didn't exclude the traffic to the VPN Client from the NAT-process. It is also a best-practise to assign a different subnet for your VPN Clients rather than the same as your inside-network.
You need to add the following commands to your configuration:
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list nonat
Please rate if the post helps!
Regards,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide