Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What am I missing?

I can connect to the router using Cisco VPN client 5.0.07.0440. I get my IP from the pool but can't ping the 192.168.8.1 gw nor anything on the 192.168.8.x network.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: What am I missing?

use a different IP pool(unsed private IP range in your network) and make sure that on the internal additional routing nodes you have route poining to correct terminal router.

to be sure that I am working in the right direction enable RRI and try and ping router interface itself.

also try taking wireshark captures on the virtual adaptor of Cisco client.

9 REPLIES

What am I missing?

Hi Jeff,

Please remove this line.

ip nat inside source list 1 interface Dialer1 overload

Please create a no-nat for vpn-client traffic and inside network traffic.

ip access-list extended PAT_ACL
deny   ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
permit ip 192.168.6.0 255.255.255.0  any

ip nat inside source list PAT_ACL interface Dialer1 overload

Please let me know, if that helps.

thanks

Rizwan Rafeek

Re: What am I missing?

It was my bad. The config is correct but mask must be inverse mask.

ip access-list extended PAT_ACL

deny   ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 any

You must have copied it, just the way I told you to, right?

Please let me know, if that helps.

thanks

Look forward to hear from you.

New Member

Re: What am I missing?

Still can't ping the int on router. Outbound traffic works from inside

Re: What am I missing?

Well, Jeff.

Here is your network setup.

interface FastEthernet0/0

description MVVC Inside

ip address 192.168.8.1 255.255.255.0

and your VPN pool are in the same range basically they overlap.

ip local pool MVVC-VPN 192.168.8.98 192.168.8.128

Here is table to narrow down the IP coming off the your DHCP pool.

Subnet

Network Address

Starting Host

End Host

Broadcast

Netmask

0

192.168.8.0

192.168.8.1

192.168.8.30

192.168.8.31

255.255.255.224

1

192.168.8.32

192.168.8.33

192.168.8.62

192.168.8.63

255.255.255.224

2

192.168.8.64

192.168.8.65

192.168.8.94

192.168.8.95

255.255.255.224

3

192.168.8.96

192.168.8.97

192.168.8.126

192.168.8.127

255.255.255.224

4

192.168.8.128

192.168.8.129

192.168.8.158

192.168.8.159

255.255.255.224

5

192.168.8.160

192.168.8.161

192.168.8.190

192.168.8.191

255.255.255.224

6

192.168.8.192

192.168.8.193

192.168.8.222

192.168.8.223

255.255.255.224

7

192.168.8.224

192.168.8.225

192.168.8.254

192.168.8.255

255.255.255.224

This is one alternative you can do, try to narrow down the IP addresses coming off the VPN DHCP pool into ACL as: “192.168.8.96 0.0.0.31” which is in the network “3” from the above table and so your ACL would look like as below for no-nat, however if that does not work, you have to recreate complete separate network segment which does not overlap with any of your physical interface or internal networks.

ip access-list extended PAT_ACL

deny   ip 192.168.6.0 0.0.0.255 192.168.8.96 0.0.0.31

permit ip 192.168.6.0 0.0.0.255 any

I hope that make sense to you.

Let me know please

thanks

New Member

Re: What am I missing?

Well it would seem my math was right when I looked at the DHCP server just stared from the wrong IP, Corrected the pool. Here is the VPN client log:

8 06:24:57.271 03/15/12 Sev=Warning/3 IKE/0xE3000085

The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

9 06:25:01.490 03/15/12 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination 192.168.252.255

Netmask 255.255.255.255

Gateway 192.168.8.1

Interface 192.168.8.98

10 06:25:01.490 03/15/12 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: c0a8fcff, Netmask: ffffffff, Interface: c0a80862, Gateway: c0a80801.

The problem is a routing issue. I get my IP from the router, but can't ping the router from the pc running the client.

Re: What am I missing?

Hi Jeff,

You stated this: "I get my IP from the router, but can't ping the router from the pc running the client."

I assume, you meant "running the client" is VPN client software, right?  if then you must be trying to initiate a VPN session while connected to inside network, correct?  Please answer "yes" or "no".

If you are coming behind the interface "FastEthernet0/1" and/or "FastEthernet0/0" as per your setup, you cannot initiate a VPN session while already connected to inside the network.

Thanks

Look forward to hear from you.

New Member

Re: What am I missing?

I assume, you meant "running the client" is VPN client software, right? Yes

if then you must be trying to initiate a VPN session while connected to inside network, correct? No

Re: What am I missing?

"can't ping the router from the pc running the client."

If you cannot ping the router from the PC, then it appeares to be, your PC and router are not the same network, I assume that your PC is connected to a inside switch that is connected to inside interface of your router.

This problem is different issue as far as this thread is disccussing as "I can connect to the router using Cisco VPN client 5.0.07.0440."

Gee.  I am confused.

New Member

Re: What am I missing?

use a different IP pool(unsed private IP range in your network) and make sure that on the internal additional routing nodes you have route poining to correct terminal router.

to be sure that I am working in the right direction enable RRI and try and ping router interface itself.

also try taking wireshark captures on the virtual adaptor of Cisco client.

1462
Views
0
Helpful
9
Replies
CreatePlease login to create content