routing on vpn

Unanswered Question
Aug 6th, 2008

Hi all, I have configured my cisco router for remote access vpn, however, the pool I used is on the same subnet as the devices on the router, I can connect but cant ping any devices on the same subent that are connected to the router, is there any reason for this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Wed, 08/06/2008 - 07:34

I will use a different subnet for the VPN users. It makes thing easier for administrative tasks such as ACL.

bmbreer Wed, 08/06/2008 - 07:39

I'm sure there is a reason. Can you please post your config so we can properly troubleshoot.

carl_townshend Thu, 08/07/2008 - 03:12

Config here


TEST#sh run

Building configuration...


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname TEST





enable secret


aaa new-model



aaa authentication login default local

aaa authentication login userauthen local

aaa authentication enable default enable

aaa authentication ppp default local

aaa authentication ppp userauthen local

aaa authorization exec default none

aaa authorization network default none

aaa authorization network groupauthor local



aaa session-id common



dot11 syslog

ip cef





ip domain name TEST

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3


multilink bundle-name authenticated



username TEST pasword xxxxxxx


crypto isakmp policy 1

hash md5

authentication pre-share

group 2


crypto isakmp client configuration group UK_internal12

key TEST123456

dns X.X.X.X

wins X.X.X.X domain X.X.X.X

pool CT_POOL



crypto ipsec transform-set CT_TRANS esp-3des esp-md5-hmac


crypto dynamic-map dynmap 10

set transform-set CT_TRANS



crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

! Incomplete

crypto map clientmap 10 ipsec-isakmp dynamic dynmap



log config




ip ssh version 2




interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1


dsl operating-mode auto


interface FastEthernet0

switchport access vlan 199


interface FastEthernet1

switchport access vlan 199


interface FastEthernet2

switchport access vlan 199


interface FastEthernet3

switchport access vlan 199


interface Vlan1

no ip address


interface Vlan199

ip address


interface Dialer1

ip address negotiated

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname X.X.X.X

ppp chap password X.X.X.X

ppp pap sent-username X.X.X.X password x.x.x.x


crypto map clientmap


ip local pool CT_POOL

ip forward-protocol nd

ip route Dialer1

ip route



no ip http server

no ip http secure-server


ip access-list extended management

remark access list for ssh management


access-list 101 remark OUTSIDE_ALLOW_IPSEC

access-list 101 permit icmp any any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq 443

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 10000

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

snmp-server community public RO

snmp-server location CT

snmp-server contact CT








line con 0

no modem enable

line aux 0

line vty 0 4

password XXXX

transport input ssh


scheduler max-task-time 5000

ntp clock-period 17175028

ntp server



Tshi M Thu, 08/07/2008 - 08:41

This is what I would do:

1. Change the pool address to a different subnet.

2. Whatever is, add a static route to the new pool address.

So an example:

TEST#ip local pool CT_POOL

device( route

ChaosInMind Thu, 08/07/2008 - 06:53

Can a VPN Client connect to a remote network correctly if they are on the same subnet? I thought they had to be different?

Tshi M Thu, 08/07/2008 - 06:55

that is exactly what I suggested yesterday. He should try to use a different subnet for the vpn clients. it makes things easier.

ChaosInMind Thu, 08/07/2008 - 07:02

That is what I thought, does it not have something to do with the encapsulation of the packet?

rsgamage1 Thu, 08/07/2008 - 08:06

How would the devices on the same data link of the router know where the remote device is ? From what I can see, it's not on the same data link now. With proper routing (between the Pool IPs and the rest) you should be able to achieve reachability.


This Discussion