Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
5
Replies

Cisco Easy VPN server and Cisco VPN Client Problem...

alfanetworks
Level 1
Level 1

‎01-09-2007 04:04 AM - edited ‎02-21-2020 02:48 PM

Hello folks,

I have a cisco 877 set up with static internet IP and internal NAT for the office LAN (subnet 192.168.254.0). I have configured the Easy VPN server using SDM on it, so that a few office laptops can access the LAN from the outside and get MS Exchange Emails, shared folders, folder redirection etc as if they were in the office. The VPN client pool on the config is set to subnet 192.168.253.0 and the laptops have Cisco VPN Client 4.8 installed.

When the clients fire up the authentication seems to work fine and the tunnel is established. 2 problems i have hit...

1) Those who themselves are behind home NATs cant even ping any PCs on the 192.168.254.0 subnet (the office).

2) Only 1 laptop can ping the PCs and see the shares, and that one is connecting to the net using a Cellular Mobile phone 3G PC Card. However, this one can only see files and folders on office PCs, anything relating to other TCP/IP ports (Outlook, intranet web access etc) doesnt work...

Here is my config attached, and i hope someone can help, its probably something simple i've overlooked..

many thx in advance!!

Labels:
Preview file
11 KB
0 Helpful
5 Replies 5

m.sir
Level 7
Level 7

‎01-09-2007 06:36 AM

It looks like nat traversal issue

try command

crypto ipsec nat-transparency udp-encapsulation

on router

This command is enabled by default but we should be sure that this command is enabled...

What is VPN client setting.. Do you have enabled IPSEC over UDP (in VPN client - MODIFY - TRANSPORT - Enable transparent tunneling - check IPSEC over UDP)???

M.

0 Helpful

alfanetworks
Level 1
Level 1
In response to m.sir

‎01-09-2007 07:46 AM

yep the client is in default mode, enable transparent tunneling ticked, ipsec over udp ticked.

tried the crypto ipsec, no joy, do i need to reload router for it to take effect?

0 Helpful

alfanetworks
Level 1
Level 1
In response to alfanetworks

‎01-16-2007 11:18 AM

Hi guys, i hate to bump this up the list, but does anyone else have any ideas? i'm rather stuck! many thx

0 Helpful

ccna2
Level 1
Level 1
In response to alfanetworks

‎01-17-2007 12:09 AM

Hi,

You should remove the reverse-route entry from the crypto-map, since this will cause a problem if the same internal home network scope is used for all the clients. Besides that it does not seem to be needed anyway in your setup.

If this does not help, try these debug commands:

debug crypto ipsec

debug crypto isakmp

debug crypto engine

Regards,

Thomas BJ

0 Helpful

5220
Level 4
Level 4
In response to ccna2

‎01-17-2007 02:14 AM

Hi,

1. Enable logging on Cisco VPN Client (Log settings -> put all on high), connect to both LAN and 3G and attach the logs.

2. Use the SetMTU tool of the Cisco VPN client to lower the MTU if not already (should be 1300 for LAN).

3. Enable NAT transparency on the router. Check:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

http://cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html

Please rate if this helped.

Regards,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents