Cisco VPN client to 837

Answered Question
Nov 15th, 2006

I am trying to get the Cisco VPN client v 4.8 to connect to an 837. The tunnels come up but I am unable to pass traffic. Attached is a config. Any and all help is appreciated

Attachment: 
I have this problem too.
0 votes
Correct Answer by dominic.caron about 7 years 5 months ago

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
dominic.caron Wed, 11/15/2006 - 06:59

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

mlebron@agfirst.com Wed, 11/15/2006 - 07:26

I did that and here is the error that I am now getting:

*Nov 14 10:09:26.980: IPSEC(crypto_ipsec_process_proposal): invalid local address x.x.x.x

mlebron@agfirst.com Wed, 11/15/2006 - 07:59

ooops, scratch that last post. A type-o on my part. I am now able to connect and I see packets encrypting and decrypting but when I try to connect to something on the inside network I get nothing. I ping something and the ip address of the d1 interface responds.

example... ping server01

Pinging server01.xxx[192.168.1.250] with 32 bytes of data:

Reply from [d1 int ip add]: bytes=32 time=71ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=41ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=58ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=34ms TTL=127

the name resolves correctly to 192.168.1.250 but the traffic never gets to it.

dominic.caron Wed, 11/15/2006 - 08:27

Ok, your IpSec tunnel is now ok I think. You now have a NAT issue...

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

When the VPN connect, your local pool assign an IP in 192.168.2.X , If you ping a server in the 192.168.1.X network, when the answer come back to the router, it will get "nated" cause it match the ACL (source 192.168.1.X and destination any).

This is why you are getting the d1 ip address in your ping.

I use a route map to do this but I guest you can also use an ACL, just make it something like this...

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Actions

Login or Register to take actions

This Discussion

Posted November 15, 2006 at 6:39 AM
Stats:
Replies:5 Avg. Rating:5
Views:283 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard