Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
6
Replies

easyVPN remote problem

tsmarcyes
Level 1
Level 1

‎03-10-2007 10:21 PM

Setup

-871 EasyVPN Remote (client mode)connecting to VPN3000

-tunnel comes up fine

-loopback gets an ip from VPN3000 LAN side

-can ping from loopback int to hosts on 3000 LAN side just fine

-cant ping from any other interface

-vlan1 is inside easyVPN, fast4 is outside easyVPN

how do you I get the packets to be translated to the ip on the loopback interface in order to travel through the tunnel? Supposedely, easyvpn is supposed to setup NAT/PAT for you.

Labels:
0 Helpful
6 Replies 6

johnd2310
Level 8
Level 8

‎03-11-2007 01:42 AM

yes, easy vpn supports NAT/PAT. ping from router may not work cause that traffic is not uing the tunnel. you will need to ping from a host connected to the 871. If you nat and easy vpn is configured correctly then it should all work.

http://www.cisco.com/en/US/products/ps6635/products_data_sheet09186a00801541d5.html

**Please rate posts you find helpful**
0 Helpful

tsmarcyes
Level 1
Level 1
In response to johnd2310

‎03-11-2007 11:27 AM

I tried to ping from a client connected to the 871. it doesnt work. The only ping that will work is from the loopback interface that has the ip given to it from the 3000. This makes sense of course because the IP is on the same subnet as the LAN side of the 3000.

You said that easyvpn supports NAT, but do you have to explicitly configure it when in client mode or does easyvpn configure it for you?

Here is my config for the 871

Preview file
2 KB
0 Helpful

johnd2310
Level 8
Level 8
In response to tsmarcyes

‎03-11-2007 03:15 PM

hi,

your config looks fine. You might need to check the policy on the concentrator. Are you tunneling everything or are you doing split tunnelling. You can check the policy the 871 is receiving using "show crypto ipsec client ezvpn"

**Please rate posts you find helpful**
0 Helpful

tsmarcyes
Level 1
Level 1
In response to johnd2310

‎03-11-2007 04:01 PM

i did the show crypto ipsec client ezvpn and it doesnt show anything about a policy or anything. It shows what interfaces are inside/outside, current peer, current state = active, dns servers, tunnel name...

It saids nothing of a policy or whats be tunneled.

Does split tunneling cause problems?

0 Helpful

johnd2310
Level 8
Level 8
In response to tsmarcyes

‎03-12-2007 03:40 AM

"show crypto ipsec client ezvpn" should show you what settings the 871 is receiving from the concentrator. If you are using split tunneling then the above command should show you what addresses will be tunneled e.g. following line might appear in output of above command

Split Tunnel List: 1

Address : 192.168.200.0

Mask : 255.255.255.0

Protocol : 0x0

Source Port: 0

Dest Port : 0

Check your config on the concentrator.

**Please rate posts you find helpful**
0 Helpful

tsmarcyes
Level 1
Level 1
In response to johnd2310

‎03-13-2007 12:39 AM

guess Im not using split tunneling because I'm not seeing that when i issue that command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents