Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing to subnet behind a WinXP VPN client.


I have the following topology.

(PC)LAN--->GenericRouter-- Internet-->Ent.Network

<------------- VPN-------------------------->

A PC on my LAN has a VPN client and

connects to the Ent.Network (Using a 2811 as a VPN gateway)

The client has Local LAN Access.

My IP Addresses are

Enterprise Network :


PC Lan :

On my PC (running WinXP with IPForwarding Enabled) I get a VPN IP address, and have a local LAN IP address.

From the Ent.Network, I can Ping the VPN Client IP address. (As expected)

Now, I want to be able to ping the Local LAN address from the Ent.Network.

Eg, ping from

I have setup a static route to the remote network, via the VPN client IP address.

ip route

The route for the VPN client is injected via RRI.

I have also added the subnet to the routemap on the 2811 so that it does not get natted.

But I cant ping from the ent. network to the LAN behind the VPN.

A traceroute to from the router (using the source address of the lan) shows no address in the output (just * * * *).

A show ip route shows


Any ideas on where I should start looking for problems ?



Re: Routing to subnet behind a WinXP VPN client.

Shahed, this is what I think, I believe you will not be able to connect to the local machine IP simply becuse is not part of that tunnel, you are VPNing to the Enterprice network and LAN_PC receives DHCP IP of from Enterprice VPN gateway which is the NATed address for, so if you want to PING you will do it through its NAT address which is and stablished in that vpn tunnel, and this you have indicated a successfull PING. I can only see this feasable if you had a Lan-to-LAN VPN tunnel from (PC)LAN--->GenericRouter to VPN gateway at 2811.Ent.Network with no NAT thus will be part of the tunnel.



New Member

Re: Routing to subnet behind a WinXP VPN client.

Hi Jorge,

Yes, what I am trying to establish, is essentially the capability of a site-to-site VPN, using a VPN client !

So I believe what you are saying is that, it is not possible at all :-(

Is it at all possible to create a site-to-site VPN using a software client at one end and a 2811 at the other ?

Or will I have to purchase a router ?

Thanks !!

Re: Routing to subnet behind a WinXP VPN client.

For Lan-to-LAN you will need a router of firewall as a Ipsec termination point, Lan-to-LAN is not possible with vpn client you need a device that terminates a Ipsec VPN tunnel and vpn clients alone does not do that. Look into 800 series routers if this is for a small SOHO network, or even a 2801 with security 56/3DES IOS, I highly recommend ASA5505 with security pluslisence, ASA5505 basic lisence allows for up to 10 lan-to-lan vpn sessions and ranges between $350-450 depending where you buy it from , Security plus lisence add another $400 to $500. But with routers you do not have to deal much with lisencing other than optaining the right IOS code.

ASA models

If you decide on a router post model recommendations on WAN routing and swithing forum, you'll get good recommendations, but as I said any router with right code you can do LAN-to-LAN.




Re: Routing to subnet behind a WinXP VPN client.

makesure network extension mode (nem) is enabled on your vpn setup at the terminating device.

nem emulates a L2L connection over a vpn client configuration scenario.

otherwise, the asa 5505 is probably your best bet, but you can also find the EOL cisco vpn 3002 on ebay pretty cheap. it's a hardware device, that acts like the software vpn client. but it will do network extension mode (NEM) which is the feature you're after.

New Member

Re: Routing to subnet behind a WinXP VPN client.

HI, I am not sure what the NME mode is (will look it up), but dont you think the 851 would also work for me ?

The 5505 and 3002 are still pretty expensive when compared to an 851.




Re: Routing to subnet behind a WinXP VPN client.

5505's can cost under $400 USD, for the base license (10 user). i'm not sure about the 851. as long as it support ipsec though, you should be ok.