Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
5
Replies

Cisco VPN client to 837

Go to solution
mlebron
Level 1
Level 1

‎11-15-2006 06:39 AM

I am trying to get the Cisco VPN client v 4.8 to connect to an 837. The tunnels come up but I am unable to pass traffic. Attached is a config. Any and all help is appreciated

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dominic.caron
Level 5
Level 5

‎11-15-2006 06:59 AM

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
dominic.caron
Level 5
Level 5

‎11-15-2006 06:59 AM

Hi there

I think your problem is the placement of your crypto map. Your traffic must pass tru the crypto map while going out. Place it on the dialer interface and if you have to use loopback interface as the source in your setup, use the

crypto map (mapname) local-address (interface)

command.

0 Helpful

Go to solution
mlebron
Level 1
Level 1
In response to dominic.caron

‎11-15-2006 07:26 AM

I did that and here is the error that I am now getting:

*Nov 14 10:09:26.980: IPSEC(crypto_ipsec_process_proposal): invalid local address x.x.x.x

0 Helpful

Go to solution
mlebron
Level 1
Level 1
In response to mlebron

‎11-15-2006 07:59 AM

ooops, scratch that last post. A type-o on my part. I am now able to connect and I see packets encrypting and decrypting but when I try to connect to something on the inside network I get nothing. I ping something and the ip address of the d1 interface responds.

example... ping server01

Pinging server01.xxx[192.168.1.250] with 32 bytes of data:

Reply from [d1 int ip add]: bytes=32 time=71ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=41ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=58ms TTL=127

Reply from [d1 int ip add]: bytes=32 time=34ms TTL=127

the name resolves correctly to 192.168.1.250 but the traffic never gets to it.

0 Helpful

Go to solution
dominic.caron
Level 5
Level 5
In response to mlebron

‎11-15-2006 08:27 AM

Ok, your IpSec tunnel is now ok I think. You now have a NAT issue...

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

When the VPN connect, your local pool assign an IP in 192.168.2.X , If you ping a server in the 192.168.1.X network, when the answer come back to the router, it will get "nated" cause it match the ACL (source 192.168.1.X and destination any).

This is why you are getting the d1 ip address in your ping.

I use a route map to do this but I guest you can also use an ACL, just make it something like this...

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

0 Helpful

Go to solution
mlebron
Level 1
Level 1
In response to dominic.caron

‎11-15-2006 08:40 AM

That was it... thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents