Cannot access remote server via Cisco VPN client 5.x

Unanswered Question
Mar 29th, 2010

I'm trying to access a MS Windows Terminal Server (TS) via a Cisco 1841router.  The client is using a laptop with WinXPP and Cisco VPN 5.x client.  I can connect to the 1841 router as I can see all sorts of information via Show Crypto commands.  What I cannot do is access the TS from the laptop. I believe it may be a routing issue but I'm not sure.

The network is set up as follows:

TS network

Lnx-1841 gw

TS ----- Cisco Switch ----- Linux Gateway --- Cisco 1841----- Internet ------Laptop w/Cisco Client 5.x

I can access the TS unit from my desktop if I do not use a Cisco client (e.g I use RDP)

TS ----Cisco Switch ----- Linux Gateway(main firewall) ------Cisco 1841 ---- Internet ------ Cisco 877(Nat) ----Switch --- Desktop

I have the crypto map on the outside interface (Dialer0).

What I would like to know is am I supposed to have any other networks listed under eigrp heading I have:

the ip routes are:

ip route Dialer0
ip route
ip route Dialer0

Or could it be a NAT issue?

Also how can I test if I'm getting through to the other side? if I'm right I do not think you can ping through a tunnel or VPN connection or can you?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 03/29/2010 - 02:51

These 2 lines looks a bit incorrect:

ip route
ip route Dialer0

Assuming your TS is in subnet which is internal to the 1841 router, and the next hop is as per the above route. However, you have the next statement of routing towards Dialer0 (which is the outside interface of the router)?

Also, what is the ip pool for the VPN Client?

To be able to access the network through VPN Client, the following needs to be configured:

1) If you have split tunneling configured, you would need to add the network

2) You also need to configure NAT exemption from the towards the ip pool subnet

3) The Linux Gateway needs to route traffic destine for the ip pool subnet towards the 1841 router.

Hope that helps.

jonl711 Mon, 03/29/2010 - 03:11

Cisco tech configured those lines when we first set up the router. is the ip address of the internal Cisco interface (FA0/0) is the external interface of the LNX server.

The ip pool for the VPN clients are as I only really need 2 I could trim that down to

Split tunneling is not neccessary, when the laptop user connects to the VPN we want them off of the network they are running the client from.

Sorry I do not understand #2 and #3 fully,  are you saying we need to exclude the the from the ip pool subnet (, why would you do that when what we're trying to do is access the network or mainly just the TS server.

All our NAT statements are similar to:

ip nat inside source static tcp 110 110 extendable

re; #3 we have a setup where another location is accessing the TS server from a remote location and the LNX GW  has packets being directed from the 1841 to the TS server.  Wouldn't this be the same or do I have to specify that the packets coming from 1841 with ip address are also to be directed to the TS server?

Thanks for your response, hope we can ge this configured.

Jennifer Halim Mon, 03/29/2010 - 03:19

Not sure why you need to configure "ip route Dialer0", I would consider removing it if you don't need that line.

In regards to #2: do you have a dynamic nat statement? something like: "ip nat inside source list" or "ip nat inside source route-map". If you do, please share the nat statement as well as the access-list and/or route-map

In regards to #3: the linux gateway needs to have a route for towards the router fa0/0 (, if the linux gateway default gateway is not the router fa0/0.

jonl711 Mon, 03/29/2010 - 03:31

I only know that the Cisco engineer had to put it there as I wasn't able to go outside without it.  The 192.168.20 network is the network from the LNX gw to the Cisco router as 20.1 is the LNX eth1 and 20.2 is the internal Cisco port FE0.

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 22 22 extendable
ip nat inside source static tcp 25 25 extendable
ip nat inside source static tcp 110 110 extendable
ip nat inside source static tcp 3389 3389 extendable
ip nat inside source static tcp 3390 3390 extendable
ip nat inside source static tcp 4899 4899 extendable
access-list 1 permit

The lnx gw is the router

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    *      U     0      0        0 eth1     *        U     0      0        0 eth0     *          U     0      0        0 eth0
loopback        *            U     0      0        0 lo
default         UG    0      0        0 eth1


Jennifer Halim Mon, 03/29/2010 - 03:38

Based on this: "ip nat inside source list 1 interface Dialer0 overload", it seems like your linux gateway is also performing a PAT for all the internal subnet, because ACL 1 only includes

If the above is correct, you would need to configure the following:

1) On the router, create a new ACL:

access-list 171 deny ip

access-list 171 permit ip any

ip nat inside source list 171 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

2) On the Linux gateway, you would also need to exempt the subnet from being PATed when it's destined for subnet.


This Discussion