Thanks to everyone that helped me with getting my SOHO 91 VPN IPSEC endpoint working with NAT. I had read probably 100 documents from people with similar problems with IPSEC and NAT with most of those threads ending with no solutions... I actually had tried half a dozen different solutions that should have worked but the thing that made it start working and passing traffic back to the client was to remove EVERYTHING to do with the VPN config, and then clear all crypto, sa, isakmp and nat translations before entering everything from scratch. Low and behold, the very first config I tried passed traffic both ways! So that's my advice, if you're having problems that shouldn't be happening, then just try removing at least all your crypto maps and everything else involved with the group and client policy and start from scratch. I had actually read that in several documents including a cisco VPN troubleshooting guide and didn't heed it until after a couple of weeks of frustration had passed...
Now, what I really need is help allowing internet access through the tunnel as theorized in this thread:
I want to have internet access through the tunnel to avoid split tunneling by using the technique of a loopback interface and route-map to nat the vpn traffic destined for outside the private network. My config is attached and I believe it's actually working but for one thing - the VPN client doesn't seem to be using the dns provided in the client's crypto group. I can ping and browse any internet IP addresses through the tunnel, and access any private address on the lan through the tunnel so I know my access lists and dummy loopback interface to nat the internet-destined traffic are doing their job, but nothing will resolve by domain name. Can anyone suggest why I'm not getting DNS responses back through the tunnel? It really seems like the domain protocol isn't passing - I've tried with my firewall both off and on with no difference.
My config is attached, I appreciate your time and help to get this 100% working...
Re: SOHO91 VPN finally works, need client DNS help...
Make sure the VPN server (a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.
If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.
To assign the DNS server's IP address for the VPN Client's, issue these commands: On the router:
crypto isakmp client configuration group 3000client
If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.
Note: If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server.
These are related Cisco bugs IDs:
CSCds65138: W2K Client - WINS - You must add Client for MS Networks for Dialup
CSCdy66378: Client ignores DNS server from mode cfg
CSCdy39938: Split DNS servername is not released
CSCdr47582: WINS address not configured on machines with Static IPs
Re: SOHO91 VPN finally works, need client DNS help...
Thanks for your reply, and I appreciate those bug links... I had actually posted another message letting everyone know that I had gotten it working, I guess I should have came back to this thread and said so. The whole issue turned out to be that I had enabled ip cef but when I left the route caching enabled on the outside interface where vpn connections were accepted there was serious traffic flow issues back to the vpn client. The second I disabled route-cache and mroute-cache on that interface it magically started working and cpu utilization went totally back to normal, it's really working excellently now. I had read about that in someone's post but I had other issues with the config in the early stages and forgot about it by the time I got the access lists straightened out for internet on a stick like I'm doing. Anyway, thanks again, oh, and had enabled the dns server in the router before figuring out the caching settings, and that started functioning for the client also after traffic started to flow - I can resolve anything inside my lan by name with no issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :