routing on vpn

Unanswered Question
Aug 6th, 2008

Hi all, I have configured my cisco router for remote access vpn, however, the pool I used is on the same subnet as the devices on the router, I can connect but cant ping any devices on the same subent that are connected to the router, is there any reason for this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tshi M Wed, 08/06/2008 - 07:34

I will use a different subnet for the VPN users. It makes thing easier for administrative tasks such as ACL.

bmbreer Wed, 08/06/2008 - 07:39

I'm sure there is a reason. Can you please post your config so we can properly troubleshoot.

carl_townshend Thu, 08/07/2008 - 03:12

Config here

Password:

TEST#sh run

Building configuration...

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TEST

!

boot-start-marker

boot-end-marker

!

enable secret

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauthen local

aaa authentication enable default enable

aaa authentication ppp default local

aaa authentication ppp userauthen local

aaa authorization exec default none

aaa authorization network default none

aaa authorization network groupauthor local

!

!

aaa session-id common

!

!

dot11 syslog

ip cef

!

!

!

!

ip domain name TEST

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username TEST pasword xxxxxxx

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group UK_internal12

key TEST123456

dns X.X.X.X

wins X.X.X.X domain X.X.X.X

pool CT_POOL

!

!

crypto ipsec transform-set CT_TRANS esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set CT_TRANS

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

! Incomplete

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

!

ip ssh version 2

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

switchport access vlan 199

!

interface FastEthernet1

switchport access vlan 199

!

interface FastEthernet2

switchport access vlan 199

!

interface FastEthernet3

switchport access vlan 199

!

interface Vlan1

no ip address

!

interface Vlan199

ip address 10.117.199.201 255.255.255.0

!

interface Dialer1

ip address negotiated

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname X.X.X.X

ppp chap password X.X.X.X

ppp pap sent-username X.X.X.X password x.x.x.x

5920999928639999

crypto map clientmap

!

ip local pool CT_POOL 10.117.199.25 10.117.199.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 10.117.199.13

!

!

no ip http server

no ip http secure-server

!

ip access-list extended management

remark access list for ssh management

!

access-list 101 remark OUTSIDE_ALLOW_IPSEC

access-list 101 permit icmp any any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq 443

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 10000

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

snmp-server community public RO

snmp-server location CT

snmp-server contact CT

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

password XXXX

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17175028

ntp server 10.80.50.19

end

TEST#

Tshi M Thu, 08/07/2008 - 08:41

This is what I would do:

1. Change the pool address to a different subnet.

2. Whatever 10.117.119.13 is, add a static route to the new pool address.

So an example:

TEST#ip local pool CT_POOL 192.168.1.20 192.168.1.50

device(10.117.199.13)#ip route 192.168.1.0 255.255.255.0 10.117.199.201

ChaosInMind Thu, 08/07/2008 - 06:53

Can a VPN Client connect to a remote network correctly if they are on the same subnet? I thought they had to be different?

Tshi M Thu, 08/07/2008 - 06:55

that is exactly what I suggested yesterday. He should try to use a different subnet for the vpn clients. it makes things easier.

ChaosInMind Thu, 08/07/2008 - 07:02

That is what I thought, does it not have something to do with the encapsulation of the packet?

rsgamage1 Thu, 08/07/2008 - 08:06

How would the devices on the same data link of the router know where the remote device is ? From what I can see, it's not on the same data link now. With proper routing (between the Pool IPs and the rest) you should be able to achieve reachability.

Actions

This Discussion