Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2703
Views
0
Helpful
7
Replies

default gateway for vpngroup

Go to solution
pschneider
Level 1
Level 1

‎04-29-2005 12:36 PM - edited ‎03-09-2019 11:06 AM

Is there a way to configure a default gateway in the vpngroup?

When I configure split-tunnel for my vpngroup, they see the web but no local lan access. If I remove split-tunnel from the config, they see local lan access but of course no web access because everything is encrypted at that point.

I did an ipconfig /all in both scenarios and found that in split-tunnel, there is no default gateway specified for the virtual adapter; without split-tunnel, the default gateway in the virtual adapter is the ip address for the vpn client logged in.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Iseli
Level 7
Level 7
In response to pschneider

‎05-02-2005 03:52 PM

Usually the VPN Pool and the internal network should be two diffrent networks. The best way doing this is using a class C network.

For example: 192.168.1.0 / 24 for the inside network

and 192.168.2.0 /24 for the VPN Pool.

Note that the subnet mask for the VPN Pool cannot be set and is choosen by the class of network.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Patrick Iseli
Level 7
Level 7

‎04-30-2005 05:32 AM

No it is not possible to set the default gateway in the VPNGroup. But with Split Tunnel you should be able to access the Internet and Local LAN on the same time.

You have a problem in your Split Tunnel setup !!

Here is an example for the Splittuneel setup:

access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any

vpngroup VPNGroup split-tunnel SplitTunnelACL

sincerely

Patrick

0 Helpful

Go to solution
pschneider
Level 1
Level 1
In response to Patrick Iseli

‎05-02-2005 06:06 AM

Here is my config:

access-list split; 1 elements

access-list split line 1 permit ip 192.168.1.0 255.255.255.0 any

vpngroup myvpn split-tunnel split

The 192 address is my vpn pool.

It does not work. What else could be wrong? I cannot ping the pix or the dns server attached to the pix. I do get web access using split tunnel.

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to pschneider

‎05-02-2005 09:23 AM

Can you tell what is working exactly?

A lot of things could be wrong !

1.) VPN Tunnel can be established but nothing behind the VPN Server LAN can be accessed:

Verification:

If you open the Statistics Window in the Cisco VPN Client you just see Encrypted packets count but ZERO for Decrypted packets.

Solution:

Remote VPN Peer has not " isakmp nat-traversal 20" configured. This problem apprears when you are behind a device that uses PAT and NAT,

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

2.) Verify your VPN Client config with my example:

access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

nat (inside) 0 access-list NONAT

access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

0 Helpful

Go to solution
pschneider
Level 1
Level 1
In response to Patrick Iseli

‎05-02-2005 10:00 AM

When I change the local pool from 192.168.1.0 to our actual internal subnet, the vpn works as it should. I have tried the above config using 192.168.1.0 and that's why I seem to have routing problems. If I use our own internal subnet, there are no routing problems. Is it possible to keep the local pool configured that way?

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to pschneider

‎05-02-2005 03:52 PM

Usually the VPN Pool and the internal network should be two diffrent networks. The best way doing this is using a class C network.

For example: 192.168.1.0 / 24 for the inside network

and 192.168.2.0 /24 for the VPN Pool.

Note that the subnet mask for the VPN Pool cannot be set and is choosen by the class of network.

0 Helpful

Go to solution
pschneider
Level 1
Level 1
In response to Patrick Iseli

‎05-05-2005 06:29 AM

I did everything in your posts and now my vpn is working beautifully. Thank you so much!

0 Helpful

Go to solution
haithamsaif
Level 1
Level 1
In response to pschneider

‎05-09-2005 08:23 PM

hi all..

thanks for your time and assistance.. it is working now.. the SSH access and the PDM ..

thanks again,

0 Helpful
Customers Also Viewed These Support Documents