Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access VPN

concentrator is connected with core switch and server 172.28.31.171(server) is also connected in core switch.

InterVLN routing is working fine. server and conncentrator is able to reach other via core switch.

concentrator private Ip address 172.28.31.92/248

VPN POOL: 172.28.31.128/248

Core switch Ip address is 172.28.31.91

Client is able to connect without any problem, but client not able to ping or connect with any network device.

In VPN session i can see bytes send and receive. My LAN-2-LAN tunnles are working fine without any problem.

No firewall involoved in the path between the concentrator and desired server 172.28.31.171.

Both connected on same switch but different VLAN. Inter VLAN routing is working and both are able to ping.

ONly remote access client 172.28.31.128/248 is not able to reach anywhere.

Core switch routing table

ip route 172.28.0.0 255.255.0.0 172.28.31.68

ip route 172.28.0.0 255.255.224.0 172.28.31.77

ip route 172.28.31.128 255.255.255.248 172.28.31.92

ip route 172.28.32.50 255.255.255.255 172.28.31.92

ip route 172.29.0.0 255.255.0.0 172.28.31.68

Concentrator routing table

172.28.31.160 255.255.255.224 via 172.28.31.91

172.28.92.0 255.255.255.0 via 172.28.31.91

172.29.0.0 255.255.0.0 via 172.28.31.91

192.168.0.0 255.255.0.0 via 172.28.31.91

172.28.31.170 255.255.255.255 via 172.28.31.91

Split tunnel is enable for

172.28.31.88/0.0.0.7

192.168.0.0/0.0.255.255

172.29.0.0/0.0.255.255

172.28.92.0/0.0.0.255

172.28.31.170/0.0.0.0

172.28.31.171/0.0.0.0

4 REPLIES

Re: Remote Access VPN

Hi, Im trying to dicypher your ip scheme and Im seeing something odd,

"ONly remote access client 172.28.31.128/248 is not able to reach anywhere."

you are using 172.28.31.128 for your vpn pool network with a 29bit mask, at least this is what your description entails , this network allows for a range of 8 addresses from 128 to 135, the 172.28.31.128 is the network addresss therefore it cannot be used for assigning it to any host, and 135 is broadcast address.

Jorge

New Member

Re: Remote Access VPN

172.28.31.128/248 is the pool that is defined on the vpn concentrator, client Ip start from 172.28.31.129-172.28.31.133.

client gets the ip 172.28.31.129 and still not able to reach the internal network. my site to site vpn are working fine, only problem with remote access vpn.

Re: Remote Access VPN

On the concentrator in your vpn tunnel group for RA clients , under Client config tab do you have IPsec over UDP checked on, as well as IPec over udp port 1000, this is asuming clients are using default Ipsec over UDP port 1000 in their client settings.

You may also need to enable NAT-transparency under Tunneling Protocol\IPsec\NAT Transparency (Ipsec over NAT-T).

New Member

Re: Remote Access VPN

my dear there is no firewall or NAT device between the client and server, it is simply conncentrator that is connected with switch, and server is also connected with that switch.

102
Views
0
Helpful
4
Replies