Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configuration for client vpn access on a loopback interface

Hi all,

We tried to configure a router as server for a client VPN .

We applied the crypto map on a loopback interface.

we put "crypto map VpnConn local-address Loopback0".

We can connect using a cisco VPN client but we cannot ping the LAN, even the ip address of the LAN interface of the router configured as server.

How could we solve this?

  • VPN
2 REPLIES

Re: configuration for client vpn access on a loopback interface

Sounds like a NAT issue. Here is an excellent VPN troubleshooting guide.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope that helps.

New Member

Re: configuration for client vpn access on a loopback interface

Hi,

Thanks for the doc.

it seems NAT-T is enabled by default in Cisco IOS.

We use a router cisco as VPN Server and we don't know what to add.

Here below our config so you could tell what's wrong and what's missing.

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa authorization network Grp local

aaa authentication login Usr local

username uuuu privilege 15 password pppp

interface l0

crypto map IntVpn

interface FastEthernet0/0

ip address W.W.W.1 255.255.255.240

ip nat outside

!

interface FastEthernet0/1

description vers LAN

ip address R.R.R.1 255.255.255.0

ip nat inside

ip local pool poolVpn P.P.P.1 P.P.P.254

ip nat inside source list 100 interface FastEthernet0/0 overload

access-list 100 deny ip R.R.R.0 0.0.0.255 P.P.P.0 0.0.0.255

access-list 100 deny icmp R.R.R.0 0.0.0.255 P.P.P.0 0.0.0.255

access-list 100 permit ip R.R.R.0 0.0.0.255 any

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto isakmp client configuration group ClGrp

key kkkk

pool poolVpn

acl 199

crypto isakmp profile ClPrf

match identity group ClGrp

client authentication list Usr

isakmp authorization list Grp

client configuration address respond

crypto ipsec transform-set TrSet esp-aes esp-sha-hmac

crypto dynamic-map dynVpn 5

set transform-set TrSet

set isakmp-profile ClPrf

reverse-route

!

crypto map IntVpn 3 ipsec-isakmp dynamic dynVpn

access-list 199 permit ip R.R.R.0 0.0.0.255 P.P.P.0 0.0.0.255

124
Views
0
Helpful
2
Replies
This widget could not be displayed.