02-08-2012 04:22 AM
Hello everybody. Need your help. I have some problem with Cisco Easy VPN Client working. I will explain:
I have configured router Cisco3945 as Easy VPN server. I have two ISP accordingly to two subinterfaces. I assigned "crypto map"
to the first subinterface and it worked properly and could access to the allowed networks. Now I want to assign "crypto map" to the second subinterface, but I have some problem: VPN Client terminated(connected), but I can't access to the allowed networks. What will be the problem, do you have any experience?
here is the configuration:
crypto isakmp client configuration group aaa
key ****
pool aaa
acl 102
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map VPNclientmap 1
set transform-set 3des-sha
!
crypto map VPNclientmap isakmp authorization list groupauthor
crypto map VPNclientmap client configuration address respond
crypto map VPNclientmap 1 ipsec-isakmp dynamic VPNclientmap
!
ip local pool aaa 192.168.11.2 192.168.11.3
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.2
access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.3
access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.2
access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.3
!
When I assign "crypto map" to this subinterface it works properly:
interface GigabitEthernet0/0.101
encapsulation dot1Q 101
ip address XX.XX.XX.236 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
standby 0 ip XX.XX.XX.238
standby 0 priority 200
standby 0 preempt
crypto map VPNclientmap
When I assing "crypto pam" to the next subinterface, VPN Client terminated(connected), but allow network is not accessable:
interface GigabitEthernet0/0.292
encapsulation dot1Q 292
ip address XX.XX.XX.11 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
standby 0 ip XX.XX.XX.12
standby 0 priority 200
standby 0 preempt
crypto map VPNclientmap
See also attached VPN Client statistics.
Solved! Go to Solution.
02-11-2012 08:50 PM
Hi,
So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.
Thx
MS
02-10-2012 03:47 AM
Dear EXPERTs, no idea?
02-11-2012 08:50 PM
Hi,
So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.
Thx
MS
02-12-2012 09:36 PM
I have default routes:
track 1 ip sla 1 reachability
delay down 9 up 10
!
track 2 ip sla 2 reachability
delay down 9 up 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.101 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.292 100 track 2
Yes, traffic send back through GigabitEthernet0/0.101 and maybe this is the problem.I will try to write static route for remote subnet through GigabitEthernet0/0.292 and let you know results.
02-12-2012 10:56 PM
yes, it works.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: