Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

vpnclient and "public" private ip address


I have a weird issue. Earlier today I created a tunnel to a vendor that uses "public" addresses (138.x.x.x) as a private address for my to tunnel to. All of this works except for a remote site that has a 5505 configured as a vpnclient. The tunnel-group that they connect to has a group-policy that forces all traffic over the tunnel. The vpnacl that's applied shows that it's allowing everything over the tunnel. nat is disabled only by not having the global line in the config.

The problem is that the user tries to go to this address, but it doesn't seem to go over the tunnel. I created a capture file on my side (headend) and I don't see anything. Then I created a capture file on their side and I see it try to connect, but no success. Any ideas on how I can force this address through the tunnel so it can go out of my device like it should? I have hundreds of users that work fine, but it's the satellite offices that have these ASAs that don't. I've got same-security-traffic permit intra-interface configured on my headend 5520.



HTH, John *** Please rate all useful posts ***
New Member

Re: vpnclient and "public" private ip address

when you say it doesn't seem to go over the tunnel what are you seeing? does the tunnel establish, are there encaps? decaps? isakmp phase 1 complete?