05-31-2007 07:54 AM - edited 02-21-2020 01:32 AM
Hi, it's my first time configuring VPN and looks like I got stuck - I have cisco 2620 which is configured for FR, I need to setup vpn access. I think I did everything by the book, but... VPN Client version 4.6.00..0049 connects but then gets config like this
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : xxx
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.170.63.21
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.170.63.21
DNS Servers . . . . . . . . . . . : 194.x.x.x
As you can see it setups itself to a same default gateway as the IP client gets from a router. I'm not sure why, and if its a routing setup issue or vpnpool, or something totally different
Waiting for replies! Thanks much in advance, attached current config...
06-03-2007 08:15 PM
Hi
did you try pinging the ip address configured n the router ethernet interface 10.170.63.20 ?
can you try the same and check ?
AFAIK in dial up connections you usually get the ip address received on the dialer adapter as your default gateway..
regds
06-03-2007 10:54 PM
By the time I got another tip from my fiend who is working on cisco little longer and he just confirmed my doubts that probably its because of split-tunnel not configured, answering your question - yes, the gateway .20 is pingable
06-04-2007 08:00 AM
Hello,
Looking through the config & description of hte problem, it seems that you are able to connect but not pass traffic.
You have a nat configured and for the VPN client to access your internal network you need to make modification on the NAT rule, which is
ip nat inside source list 100 interface Serial0/0.1 overload
ip access-l ext 100
1 deny ip 10.170.56.0 0.0.0.7.255 10.170.63.0 0.255.255.255
This will fix the problem but, there are other issues. If you look at the subnet mask assigned to the VPN client, it will be class A subnet but you are using VLSM on your internal networks.
So, for the router is going to deny traffic not to be NAT ted from 10.170.56 to 10.x.x.x
What I would suggest is to change the Ip pool assignment to something like 192.168.63.0/24 which will automatically insert the subnet mask 255.255.255.0 for the VPN client adapter since they fall in the class C category.
If you are going to change the IP pool, then your ACL for 100 should be like
access-l 100 deny ip 10.170.56.0 0.0.7.255 192.168.63.0 0.0.0.255
access-l 100 per ip 10.170.56.0 0.0.7.255 any
Hope this helps to resolve your issue.
Rate it, if it helps.
Cheers,
Gilbert
06-04-2007 10:53 PM
Hi, I did rate your post, thanks, but I already figure out why there was no traffic before. I'm gonna leave config with 10.x.x.x IP's for vpn due to our Manager request, so it has to be /8 mask. Again, thanks anyway you are correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: