Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Server Routing Question...

I have a 7200 series router configured as an Easy VPN Server. This router is also the edge router for our connection to our ISP. The ISP has assigned us a /20 network which I have statically routed to Null0 to ground out the address space that is currently unused.

The IP pool for the Easy VPN also comes from this unused address space and obviously with the static route to Null, the VPN clients are unable to properly access devices on the network.

Do I really need to route unused address space to Null? Is there a more specific route I can create for my VPN IP pool and to where would I route this pool?

Thanks for the help,



Re: VPN Server Routing Question...

The following comfoiguration may help in resolving the issue.

ip nat inside source list 1 interface Serial1/0 overload

!--- This allows PAT to be used for regular Internet traffic.

ip nat inside source static udp port no:> interface Serial1/0 4500

!--- This permits IPSec traffic destined for the Serial1/0

!--- interface to be sent to the inside IP address .

ip nat inside source static udp e Serial1/0 500

!--- This allows UDP traffic for the Serial1/0 interface to be

!--- statically mapped to the inside IP address

!--- This is required for the Internet Security Association

!--- and Key Management Protocol (ISAKMP) negotiation to be

!--- initiated from VPN-Gateway1 to VPN-Gateway2.

Hall of Fame Super Silver

Re: VPN Server Routing Question...


I have not done quite exactly what you are doing, so I do not have direct experience. But I have done things that I think are somewhat similar and think that my approach may work for you. In a somewhat similar situation where I was defining a pool of addresses to be assigned to clients, I arranged for the pool of addresses to be on a logical subnet boundary (fit into the subnet addressing scheme being used). I assigned the first address (the .1) to a loopback interface with the subnet mask appropriate to the subnet (and excluded .1 from the pool). Therefore the router had a connected subnet for the addresses of the pool which protects it from the static route to null 0 and allows the other addresses to be assigned to clients.

I agree with your intention that the address space assigned should be protected where there are unassigned addresses. The static route to null 0 is the typical way to do this.