cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
4
Helpful
4
Replies

VPN on C2620 router - client connects but no traffic goes out

wojciechowskij
Level 1
Level 1

Hi, it's my first time configuring VPN and looks like I got stuck - I have cisco 2620 which is configured for FR, I need to setup vpn access. I think I did everything by the book, but... VPN Client version 4.6.00..0049 connects but then gets config like this

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : xxx

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-05-9A-xx-xx-xx

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.170.63.21

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.170.63.21

DNS Servers . . . . . . . . . . . : 194.x.x.x

As you can see it setups itself to a same default gateway as the IP client gets from a router. I'm not sure why, and if its a routing setup issue or vpnpool, or something totally different

Waiting for replies! Thanks much in advance, attached current config...

4 Replies 4

spremkumar
Level 9
Level 9

Hi

did you try pinging the ip address configured n the router ethernet interface 10.170.63.20 ?

can you try the same and check ?

AFAIK in dial up connections you usually get the ip address received on the dialer adapter as your default gateway..

regds

By the time I got another tip from my fiend who is working on cisco little longer and he just confirmed my doubts that probably its because of split-tunnel not configured, answering your question - yes, the gateway .20 is pingable

Hello,

Looking through the config & description of hte problem, it seems that you are able to connect but not pass traffic.

You have a nat configured and for the VPN client to access your internal network you need to make modification on the NAT rule, which is

ip nat inside source list 100 interface Serial0/0.1 overload

ip access-l ext 100

1 deny ip 10.170.56.0 0.0.0.7.255 10.170.63.0 0.255.255.255

This will fix the problem but, there are other issues. If you look at the subnet mask assigned to the VPN client, it will be class A subnet but you are using VLSM on your internal networks.

So, for the router is going to deny traffic not to be NAT ted from 10.170.56 to 10.x.x.x

What I would suggest is to change the Ip pool assignment to something like 192.168.63.0/24 which will automatically insert the subnet mask 255.255.255.0 for the VPN client adapter since they fall in the class C category.

If you are going to change the IP pool, then your ACL for 100 should be like

access-l 100 deny ip 10.170.56.0 0.0.7.255 192.168.63.0 0.0.0.255

access-l 100 per ip 10.170.56.0 0.0.7.255 any

Hope this helps to resolve your issue.

Rate it, if it helps.

Cheers,

Gilbert

Hi, I did rate your post, thanks, but I already figure out why there was no traffic before. I'm gonna leave config with 10.x.x.x IP's for vpn due to our Manager request, so it has to be /8 mask. Again, thanks anyway you are correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: