Solved: Re: Address Pool ins easy vpn server - Page 2

edgar-quintana · ‎02-11-2007

Hi,

I?ve a 1721 cisco router with one adsl wic card.

This router provides me internet conection and nat(dmz servers).

Now, I need to implement with this router an easy vpn server to provide vpn conection to clients who use cisco vpn client 4.8 software.

I follow step by step the instructions to enable the server but, when the wizar tells me about an address pool...I do not know.

The router has 2 fastethernet addresses, 192.168.156.253 and 192.168.158.253(secondary).

My lan works whith 192.168.156.x address.

what will be the address pool?

Best regards

heze54

edgar-quintana · ‎02-27-2007

Hi,

There is my sdm config file.

The remote clients who connect using remote vpn client have to connect using the tunnel and have local connection (split tunneling).

Can you change my configuration to implement this?

Is possible to only permit this remote prifile to connect to an specific ip? ofr example only permit to connect to 192.16.156.50...

best regrads

ggilbert · ‎02-27-2007

Edgar,

access-list 140 per ip host 192.168.156.50 192.168.50.0 0.0.0.255

crypto isakmp client configuration group serlogis

acl 140

Test this out and let me know. The above example is to provide split tunneling and also to allow only the host 192.16.156.50 to have access to the VPN client network.

Cheers

Gilbert

Rate this post, if it helps!

edgar-quintana · ‎02-28-2007

Hi,

I?ve added this command lines to my 1721 router but it does not works.

The vpn client software reports errors connecting.

I only add this lines.

best regards

ggilbert · ‎02-28-2007

Edgar,

Turn on the following debugs on the router

deb cry isa & deb cry ipsec.

If you are going to telnet to the router, please insert the command "term mon" to get the debugs show up on the screen.

On the client, there is a tab for Log | Log Settings, can you enable everything to 1-5 and make sure you enable the Logging on the client.

Then open the window for logging.

Connect with the client and let me know what are the results.

We can troubleshoot from there.

Hope this helps.

Gilbert

edgar-quintana · ‎02-28-2007

HI,

today i?ll send you the changed configuration and i?ll make the probes and attach the log files

edgar-quintana · ‎02-28-2007

This is the configuration.

No debug in router

ggilbert · ‎02-28-2007

Edgar,

You need to enable debugs on the router. Thanks for the config.

"deb cry isa" and "deb cry ipsec" are the debugs that needs to be enabled when the client is trying to connect.

Thanks

Gilbert

edgar-quintana · ‎02-28-2007

Hi,

i?ve enabled them but no debug was shown.

edgar-quintana · ‎02-28-2007

I've to delete acl 140 and the access list 140 in order to access using vpn remote client.

ggilbert · ‎02-28-2007

Edgar,

If that would be the case, seems like the VPN client connection is getting stuck when the split tunnel ACL is being sent over to the client.

Further, in-depth troubleshooting has to be done on this issue. Please open a TAC case and one of the engineers will be able to help you out.

Sorry Edgar, troubleshooting further with access will be the best method to figure out this issue.

Cheers,

Gilbert

edgar-quintana · ‎03-01-2007

Hi

Local lan is enabled.. is this option a problem?

I'll try to disable it and then add your configuration and... we'll see

edgar-quintana · ‎03-05-2007

Hi,

Another problem

I have a 1721 cisco router with one adsl wic installed.It has a wan address with we want to change because our ISP needs to change ....

Using SDM , which is the best way to do?If I change the ip using SDM the router will change my nat configuration from the older WAN address to the new??

Best regards