Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 1710 and VPN Client - "maybe" routing problem

Hi,

I was able to get 1710 working with 3DES and CISCO VPN Client 3.6.1. with local aaa authorization.

When I am connected to the VPN I can ping the IP address of the VPN router

(24.x.x.x.) and I can ping the internal interface (192.168.x.x) of the router.

The problem is that I can't ping nothing else - for example: the hosts in the corporate net (192.168.x.x.)

Configuration:

Internal IP of the router: 192.168.x.x

External IP of the router: 24.x.x.x

ippool for Clients: 10.10.10.x

The IP address of the Client after connection is correct: 10.0.0.x (from the pool)

May be I am missing something into 1710 confg? Do I need to NAT the internal interface? The default gateway of the net is FreeBSD system, not the 1710 router.

Any ideas are welcome.

Miro Pendev

IT Administrstor

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN 1710 and VPN Client - "maybe" routing problem

You'll quite often lose the first ping because an ARP has to be sent and replied to, but if you're getting subsequent pings then that's OK.

As for being able to browse the Internet while the tunnel is up, you need to enable split tunnelling. Add the following:

> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

> crypto isakmp client configuration group my_usergroup

> acl 110

This means the client will only encrypt traffic to the 192.168.1.0 network, all other traffic will go out in the clear to the Internet.

6 REPLIES
Cisco Employee

Re: VPN 1710 and VPN Client - "maybe" routing problem

Here's your problem:

quote:

The default gateway of the net is FreeBSD system, not the 1710 router

unquote;

When you ping an internal device, the source address of the packet is going to be 10.10.10.x from your VPN pool. Your internal devices are going to send their responses to their default gateway, which is not the 1710.

Either put a static route on the FreeBSD system for the 10.10.10.x network pointing to the inside address of the 1710, or make your pool of addresses part of the 192.168.x.x subnet, then the router will proxy-ARP for those addresses and everything will work fine.

New Member

Re: VPN 1710 and VPN Client - "maybe" routing problem

Thanks for your reply!

I would prefer to use the proxy-ARP way - 192.168.x.x. subnet for the remote clients. So I did! I changed the client pool and they are with 192.168.x.x ip addresses.

In this situation from the remote Cisco VPN client I can not ping neither external IP (24.x.x.x) nor internal IP (192.168.x.x) of the router.

Do I need to enable the proxy-arp?

The configuration of the 1710 is "by the PDF"... i do not have any extra options.

I can post the config so you can take a look - just let me know.

Miro

Cisco Employee

Re: VPN 1710 and VPN Client - "maybe" routing problem

Yes, can you post the config of the router please, make sure you xxx out your external IP address.

In particular, did you put the pool of addresses into the same subnet of 192.168.x.x, or a different one? If it's different, then the internal hosts are still going to send the replies to the FreeBSD box.

New Member

Re: VPN 1710 and VPN Client - "maybe" routing problem

Yes, they are in the same subnet.

By the way - I noticed that I can ping the internal hosts from 192.168.1.x net - but not the interfaces of the router. The fist ping didn't work, but the second was fine. Because if WINS I can connect to internal servers by \\servername, but I can't browse the network.

The second thing is that the client doesn't have Internet access after Cisco VPN client is connected. Is it possible to keep the internet access on the client side and still use the VPN channel?

Miro

Here is the config for 1710:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname VPN-Router

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret 5 ******************

enable password ***************

!

username user password 0 ***************

username user2 password 0 ***************

memory-size iomem 25

ip subnet-zero

!

!

ip name-server 201.x.x.x

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group my_usergroup

key ***********

wins 192.168.1.x

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Ethernet0

description connected to Internet

ip address 24.x.x.x 255.255.255.x

full-duplex

crypto map clientmap

!

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.1.x 255.255.255.0

speed auto

full-duplex

!

ip local pool ippool 192.168.1.40 192.168.1.50

ip default-gateway 24.x.x.1

ip classless

ip route 0.0.0.0 0.0.0.0 24.x.x.1

no ip http server

ip pim bidir-enable

!

!

!

banner motd

Baner

!

line con 0

exec-timeout 0 0

password *************

line aux 0

line vty 0 4

password ****************

transport preferred none

line vty 5 10

password ****************

transport preferred none

!

end

Cisco Employee

Re: VPN 1710 and VPN Client - "maybe" routing problem

You'll quite often lose the first ping because an ARP has to be sent and replied to, but if you're getting subsequent pings then that's OK.

As for being able to browse the Internet while the tunnel is up, you need to enable split tunnelling. Add the following:

> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

> crypto isakmp client configuration group my_usergroup

> acl 110

This means the client will only encrypt traffic to the 192.168.1.0 network, all other traffic will go out in the clear to the Internet.

New Member

Re: VPN 1710 and VPN Client - "maybe" routing problem

Worked as a charm :-)

Thanks a lot!

Miro

104
Views
5
Helpful
6
Replies
CreatePlease login to create content