Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Cisco VPN client to 837

I am trying to get the Cisco VPN client v 4.8 to connect to an 837. The tunnels come up but I am unable to pass traffic. Attached is a config. Any and all help is appreciated

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco VPN client to 837

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

5 REPLIES

Re: Cisco VPN client to 837

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

New Member

Re: Cisco VPN client to 837

I did that and here is the error that I am now getting:

*Nov 14 10:09:26.980: IPSEC(crypto_ipsec_process_proposal): invalid local address x.x.x.x

New Member

Re: Cisco VPN client to 837

ooops, scratch that last post. A type-o on my part. I am now able to connect and I see packets encrypting and decrypting but when I try to connect to something on the inside network I get nothing. I ping something and the ip address of the d1 interface responds.

example... ping server01

Pinging server01.xxx[192.168.1.250] with 32 bytes of data:

Reply from [d1 int ip add]: bytes=32 time=71ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=41ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=58ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=34ms TTL=127

the name resolves correctly to 192.168.1.250 but the traffic never gets to it.

Re: Cisco VPN client to 837

Ok, your IpSec tunnel is now ok I think. You now have a NAT issue...

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

When the VPN connect, your local pool assign an IP in 192.168.2.X , If you ping a server in the 192.168.1.X network, when the answer come back to the router, it will get "nated" cause it match the ACL (source 192.168.1.X and destination any).

This is why you are getting the d1 ip address in your ping.

I use a route map to do this but I guest you can also use an ACL, just make it something like this...

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

New Member

Re: Cisco VPN client to 837

That was it... thanks!

298
Views
0
Helpful
5
Replies
CreatePlease to create content