11-15-2006 06:39 AM
I am trying to get the Cisco VPN client v 4.8 to connect to an 837. The tunnels come up but I am unable to pass traffic. Attached is a config. Any and all help is appreciated
Solved! Go to Solution.
11-15-2006 06:59 AM
Hi there
I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the
crypto map (mapname) local-address (interface)
command.
11-15-2006 06:59 AM
Hi there
I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the
crypto map (mapname) local-address (interface)
command.
11-15-2006 07:26 AM
I did that and here is the error that I am now getting:
*Nov 14 10:09:26.980: IPSEC(crypto_ipsec_process_proposal): invalid local address x.x.x.x
11-15-2006 07:59 AM
ooops, scratch that last post. A type-o on my part. I am now able to connect and I see packets encrypting and decrypting but when I try to connect to something on the inside network I get nothing. I ping something and the ip address of the d1 interface responds.
example... ping server01
Pinging server01.xxx[192.168.1.250] with 32 bytes of data:
Reply from [d1 int ip add]: bytes=32 time=71ms TTL=127
Reply from [d1 int ip add]: bytes=32 time=41ms TTL=127
Reply from [d1 int ip add]: bytes=32 time=58ms TTL=127
Reply from [d1 int ip add]: bytes=32 time=34ms TTL=127
the name resolves correctly to 192.168.1.250 but the traffic never gets to it.
11-15-2006 08:27 AM
Ok, your IpSec tunnel is now ok I think. You now have a NAT issue...
ip nat inside source list 102 interface Dialer1 overload
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
When the VPN connect, your local pool assign an IP in 192.168.2.X , If you ping a server in the 192.168.1.X network, when the answer come back to the router, it will get "nated" cause it match the ACL (source 192.168.1.X and destination any).
This is why you are getting the d1 ip address in your ping.
I use a route map to do this but I guest you can also use an ACL, just make it something like this...
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
11-15-2006 08:40 AM
That was it... thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: