Thanks for the reply Pradhuman.

I added the access-list and changed the nat for FastEthernet4 as you suggested.  Unfortunately, no change.

The only decrypted packets on the vpn client are when I ping 192.168.15.1 (internal router IP)  Nothing else "decrypts"

Any other suggestions??  I've copied the NAT and access-list for you to review.

ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.15.1 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.15.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.15.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.15.2 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.15.2 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.15.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.15.2 987 interface FastEthernet4 987
ip nat inside source list 111 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.15.0 0.0.0.255
access-list 111 deny   ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 111 permit ip 192.168.15.0 0.0.0.255 any
no cdp run

Much thanks,

Corey

Corey,

The VPN pool is on the same subnet as the inside interface. I see that you have proxy arp disabled on that interface. You may want to enable it and try the connection again or change the pool to a different range like 192.168.16.x and be sure to bypass nat for that.

Thanks Joe for the quick thought.

No change by enabling the ip prox-arp on the interfaces.

here is my current show interface output.  you can see there are no packets going "out"

Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of FastEthernet4 (68.81.166.187)
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x0, loopback not set
  Keepalive not set
  Tunnel source 68.81.166.187, destination 173.161.136.89
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "progeer-vti1")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:03:24
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     24 packets input, 1855 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

I guess I'll try changing the ip addresses of the VPN connections to 192.168.16.0 to see if that makes a differences.I had tried this earlier in the week; but I didn't use any ACLs figuring the VTI took care of the routing.

I'd appreaciate any other thoughts on what to do to keep it on the same  subnet.

Corey

The different IP pool allows me to access network resources from the VPN client.

Sweet!

Thanks for the suggestion Joe.

Not what I was thinking; but not a big deal either way.  I would argue it adds complexity; but at this point I'm out of suggestions.

Thanks everyone for the input; and unless there is further ideas for me to try to correct the issue with the IP Pool not being allowed on the same subnet; I'll run with this configuration.

Corey

Okay, follow up for those looking for the solution to your own problem like this.

I'm unable to access the internet from the 192.168.16.0 subnet; so I added a line to the ACL allowing me to NAT out the outside interface:

20 permit ip 192.168.16.0 0.0.0.255 any

Drat...still doesn't work.  When I run a tracert from the VPN client (192.168.16.10)  I see my external gateway IP; but nothing beyond that....so am I missing a route on the inside??  I added

20 permit 192.168.16.0, wildcard bits 0.0.0.255

to my access-list 1 (guarding the Vlan) ...no good...

Here is my config as it stands now with the VPN pool being on a different subnet; and no access to the internet over the VPN.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2022599918
revocation-check none
rsakeypair TP
!
!
crypto pki certificate chain TP
certificate self-signed 01
      ***************************
        quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name progeer.local
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *************
key *************
dns 192.168.15.2
pool VPN_POOL
crypto isakmp profile vpn1-ra
   match identity group ProgeerVpn
   isakmp authorization list local_list
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
crypto ipsec profile progeer-vti1
set transform-set VTI-TS
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile progeer-vti1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.15.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool VPN_POOL 192.168.16.10 192.168.16.15
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.15.1 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.15.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.15.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.15.2 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.15.2 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.15.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.15.2 987 interface FastEthernet4 987
ip nat inside source list 111 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.15.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 111 deny   ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 111 permit ip 192.168.15.0 0.0.0.255 any
access-list 111 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
session-timeout 10
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Time for dinner for me.  Suggestions are more than welcome.

Corey

Final resolution:

I needed to add:

ip nat inside

to the VTI interface...Stupid me for not thinking of this in the first place.  This is the whole point of the VTI; allowing users to treat the VTI as an inteface; so it needed to be NAT'd just like any other inside interface.

Case closed.

Corey