Cisco VPN Client problem

Answered Question
Feb 8th, 2012

Hello everybody. Need your help. I have some problem with Cisco Easy VPN Client working. I will explain:

I have configured router Cisco3945 as Easy VPN server. I have two ISP accordingly to two subinterfaces. I assigned  "crypto map"

to the first subinterface and it worked properly and could access to the allowed networks. Now I want to assign "crypto map" to the second subinterface, but I have some problem: VPN Client terminated(connected), but I can't access to the allowed networks. What will be the problem, do you have any experience?

here is the configuration:

crypto isakmp client configuration group aaa

key ****

pool aaa

acl 102

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map VPNclientmap 1

set transform-set 3des-sha

!

crypto map VPNclientmap isakmp authorization list groupauthor

crypto map VPNclientmap client configuration address respond

crypto map VPNclientmap 1 ipsec-isakmp dynamic VPNclientmap

!

ip local pool aaa 192.168.11.2 192.168.11.3

!

access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.2

access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.3

access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.2

access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.3

!

When I assign "crypto map" to this subinterface it works properly:

interface GigabitEthernet0/0.101

encapsulation dot1Q 101

ip address XX.XX.XX.236 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

standby 0 ip XX.XX.XX.238

standby 0 priority 200

standby 0 preempt

crypto map VPNclientmap

When I assing "crypto pam" to the next subinterface, VPN Client terminated(connected), but allow network is not accessable:

interface GigabitEthernet0/0.292

encapsulation dot1Q 292

ip address XX.XX.XX.11 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

standby 0 ip XX.XX.XX.12

standby 0 priority 200

standby 0 preempt

crypto map VPNclientmap

See also attached VPN Client statistics.

Attachment: 
I have this problem too.
0 votes
Correct Answer by mvsheik123 about 2 years 2 months ago

Hi,

So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.

Thx

MS 

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
mvsheik123 Sat, 02/11/2012 - 20:50

Hi,

So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.

Thx

MS 

gijuacisco Sun, 02/12/2012 - 21:36

I have default routes:

track 1 ip sla 1 reachability

delay down 9 up 10

!

track 2 ip sla 2 reachability

delay down 9 up 10

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.101 track 1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.292 100 track 2

Yes, traffic send back through GigabitEthernet0/0.101 and maybe this is the problem.I will try to write static route for remote subnet through GigabitEthernet0/0.292 and let you know results.

Actions

Login or Register to take actions

This Discussion

Posted February 8, 2012 at 4:22 AM
Stats:
Replies:4 Avg. Rating:5
Views:847 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard