Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco IOS VPN Trouble - Client connects but can not talk across tunnel

Status
Not open for further replies.
rainman

rainman

ISP
Mar 22, 2001
186
US
Hello,

I recently setup Cisco IOS VPN and I am having some trouble. I am able to get remote VPN clients to successfully connect and get an IP address however they can not communicate with anything across the tunnel. Also I checked the router running VPN IOS and there is an "Incomplete" mac address listed for the IP of the remote client when I do a "show arp":

RTR01#show arp | i 192.168.1
FastEthernet0/0.1
Internet 192.168.1.231 0 Incomplete ARPA


Here is my IOS VPN configuration:

username test password test
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
! NOTE ADDED BELOW ENTRY PER A SUGGESTION BUT DID NOT MAKE A DIFFERENCE
!
crypto isakmp invalid-spi-recovery
!
!
crypto isakmp client configuration group VPNGROUP
key VPNKEY
dns x.x.x.x y.y.y.y
domain mydomain.com
pool ippool

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/1
desc TO CABLE MODEM ISP
ip address dhcp
crypto map clientmap
!
!
ip local pool ippool 192.168.1.230 192.168.1.240
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255


One thing I might add is when I watch on the statistics window on the client I see 0 bytes received but bytes transmitting does increment (also seeing packets encrypted incrementing, and also discarded / bypassed).

I am running IOS version 12.4(10) and have tried Cisco VPN clients 4.8, and various versions of 5.x. All have the same issue. OS is Microsoft Windows XP SP3 (do not have a way to test on anything else at the moment).


Thanks for any input!


-Rainman
 
Sort by date Sort by votes
Thanks for the response, but I do not understand why. The IP's that I am handing out for the VPN pool are 192.168.1.230-240 which is in the same subnet as the local LAN (int FE0/0 is 192.168.1.1/24). Other reason I do not understand why the VPN pool range has to be excluded from NAT, is because they should require no translation to talk to local hosts on the 192.168.1.0/24 subnet, and in addition they should be able to go back out thru the internet connection (via NAT overload covering the entire /24). Do I need to use a totally different subnet for the VPN pool and keep it separate from the subnet I am using for the local LAN on FE0/0?


Thanks,

Rainman
 
Upvote 0 Downvote
No---I have mine set up that way, but the vpn pool gets NATted back out in order to be assigned to the client computer. You dont want that! Trust me on this, bro---been down that road!
Post a sh access-list and I will show you how.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
568
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
408
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
345
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
316
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top