VPN Client for Public Internet on a Stick

Unanswered Question


I've implemented "the Router and VPN Client for Public Internet on a Stick Configuration Example" (http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml). I've added these lines to my 878 router config. I connect from a remote site with Cisco VPN client. From the VPN client, the situation is :

- Full access to hosts on Internet = OK

- Can PING hosts at the router site (

- Have no access to hosts at the router site ( = NOK

I've added these lines to my 877 configuration. At this time, firewall not activated.

aaa new-model


aaa authentication login userauthen local


aaa authorization network groupauthor local


aaa session-id common

username ... password 0 ...

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group ?

key ?


pool ippool


crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto dynamic-map dynmap 10

set transform-set myset



crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


interface Loopback0

ip address

ip nat inside

ip virtual-reassembly

interface Dialer1

ip nat outside

ip policy route-map VPN-Client

crypto map clientmap

ip local pool ippool

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip any any

access-list 144 permit ip any

route-map VPN-Client permit 10

match ip address 144

set interface Loopback0

Any idea to solve the 3rd point? All the VPN traffic is set to the loopback interface. Do I have to modify the route-map to set only the external traffic on this interface ?

Kind regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a-vazquez Tue, 05/22/2007 - 06:08
User Badges:
  • Silver, 250 points or more

Probably, check the network list in the vpn server whether it is properly configured in such a way that the network is allowed.


This Discussion