Cisco Support Community
Community Member

VPN client 3.5 to Cisco 2600(IPSec)


I have create a vpn tunnel from a vpn client to cisco 2600, the question is, even i have the Pool address same as the internal LAN address, after i created the tunnel, i cannot PING to any machine inside the network, unless i add a static route on some local machine.

Same setup on a pix, i can just PING to everybody inside the LAN without adding specific static route. So what's the different between these two setup.

Cisco Employee

Re: VPN client 3.5 to Cisco 2600(IPSec)

sounds like routing problem as you identified. difficult to say without topology or routing information. What is the routing config on the IOS ? Are the internal LAN addresses that you are trying to reach on the same subnet as IOS private interface or some hops away from the router. ?

What is the default gateway on the destination host ?

Difficulat to answer without topology and routing info.

Community Member

Re: VPN client 3.5 to Cisco 2600(IPSec)

aaa new-model


aaa authentication login user-test local

aaa authorization network group-test local

aaa session-id common

enable secret 5 $1$Fyj3$p3HStbnvvB080.tuNgQI30


username Watarai password 0 ######

username syscom password 0 ######

ip subnet-zero


crypto isakmp policy 3

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SyscomPool


crypto isakmp client configuration group TestGroup

key syscomusavpn




pool SyscomPool

acl 101


!crypto ipsec transform-set SyscomSet esp-des esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set SyscomSet


crypto map SyscomMap client authentication list user-test

crypto map SyscomMap isakmp authorization list group-test

crypto map SyscomMap client configuration address respond

crypto map SyscomMap 10 ipsec-isakmp dynamic dynmap


fax interface-type fax-mail

mta receive maximum-recipients 0

interface Ethernet0/0

ip address


crypto map SyscomMap

interface Ethernet0/1

ip address



ip local pool SyscomPool

ip classless

ip route

no ip http server

ip pim bidir-enable


access-list 1 permit

access-list 101 permit ip any


This is the code which i had, do i need more ip route than just that one?

i can create the tunnel, but from the client statistic, only output(encrypt) packet, no input(decrypt) packet at all.

anyone has any suggestion would be appreciate.

CreatePlease to create content