Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco IOS - Remote Access VPN - unwanted route problem

Hello there

I have run into a problematic scenario recently: I am trying to connect from a remote LAN (using a Cisco VPN client on my windows xp machine) to my office LAN and access one server there. The problem is that I need access to the entire remote LAN at the same time.

Remote LAN: 172.16.0.0/16

Office LAN: 172.16.45.0/24

Topology:

(ME: 172.16.10.138/25) - (multiple subnets form 172.16.0.0/16) - (Internet Cloud) - (VPN-Gateway) - (172.16.45.0/24) - (TARGET: 172.16.45.100)

To provide the access, I configured a simple remote-access VPN on an 1700 series router. This is the relevant part:

(...)

crypto isakmp client config group group-remote-access

key my-group-key

pool vpn-address-pool

acl 100

ip local pool vpn-address-pool 172.16.55.1 172.16.55.30

access-list 100 permit ip host 172.16.45.100 172.16.55.0 0.0.0.31

(...)

The configuration works fine, in that I can access the 172.16.45.100 server whenever I need to. However, the problem is that when the VPN link is connected, Windows somehow wants to route any packet destined for 172.16.0.0/16 through the VPN tunnel! This is apparently due to a static route which added by the Cisco VPN Client along with all the other VPN-specific routes.

I suspect the culprit is the IP LOCAL POOL, since when the VPN is connected, the VPN Client debug log shows something like "Adapter Connected, address 172.16.55.1/16". Emphasis on the "/16" part. I checked the status page for the VPN connection and the only route specified there was "172.16.45.100 255.255.255.255" under Remote Routes. Local Routes was empty.

Is this a known problem that I missed the obvious solution for? Is there any workaround aside from moving the local vpn pool into the 10.x.x.x or 192.168.x.x range? Thank you in advance for any tips or hints!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco IOS - Remote Access VPN - unwanted route problem

Hi,

The best way is to avoid any overlap between the local LAN and the VPN pool.

Try 172.17.0.0/16, is also private IP space:

http://en.wikipedia.org/wiki/Private_network

Please rate if this helped.

Regards,

Daniel

2 REPLIES

Re: Cisco IOS - Remote Access VPN - unwanted route problem

Hi,

The best way is to avoid any overlap between the local LAN and the VPN pool.

Try 172.17.0.0/16, is also private IP space:

http://en.wikipedia.org/wiki/Private_network

Please rate if this helped.

Regards,

Daniel

New Member

Re: Cisco IOS - Remote Access VPN - unwanted route problem

Thanks for the suggestion, I'll look into it.

263
Views
0
Helpful
2
Replies