04-29-2005 12:36 PM - edited 03-09-2019 11:06 AM
Is there a way to configure a default gateway in the vpngroup?
When I configure split-tunnel for my vpngroup, they see the web but no local lan access. If I remove split-tunnel from the config, they see local lan access but of course no web access because everything is encrypted at that point.
I did an ipconfig /all in both scenarios and found that in split-tunnel, there is no default gateway specified for the virtual adapter; without split-tunnel, the default gateway in the virtual adapter is the ip address for the vpn client logged in.
Solved! Go to Solution.
05-02-2005 03:52 PM
Usually the VPN Pool and the internal network should be two diffrent networks. The best way doing this is using a class C network.
For example: 192.168.1.0 / 24 for the inside network
and 192.168.2.0 /24 for the VPN Pool.
Note that the subnet mask for the VPN Pool cannot be set and is choosen by the class of network.
04-30-2005 05:32 AM
No it is not possible to set the default gateway in the VPNGroup. But with Split Tunnel you should be able to access the Internet and Local LAN on the same time.
You have a problem in your Split Tunnel setup !!
Here is an example for the Splittuneel setup:
access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any
vpngroup VPNGroup split-tunnel SplitTunnelACL
sincerely
Patrick
05-02-2005 06:06 AM
Here is my config:
access-list split; 1 elements
access-list split line 1 permit ip 192.168.1.0 255.255.255.0 any
vpngroup myvpn split-tunnel split
The 192 address is my vpn pool.
It does not work. What else could be wrong? I cannot ping the pix or the dns server attached to the pix. I do get web access using split tunnel.
05-02-2005 09:23 AM
Can you tell what is working exactly?
A lot of things could be wrong !
1.) VPN Tunnel can be established but nothing behind the VPN Server LAN can be accessed:
Verification:
If you open the Statistics Window in the Cisco VPN Client you just see Encrypted packets count but ZERO for Decrypted packets.
Solution:
Remote VPN Peer has not " isakmp nat-traversal 20" configured. This problem apprears when you are behind a device that uses PAT and NAT,
2.) Verify your VPN Client config with my example:
access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
nat (inside) 0 access-list NONAT
access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
aaa-server LOCAL protocol local
aaa authentication secure-http-client
sysopt connection permit-ipsec
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS
crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map REMOTE client authentication LOCAL
crypto map REMOTE interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool VPNPool x.y.z.1-x.y.z.254
vpngroup VPNGroup address-pool VPNPool
vpngroup VPNGroup dns-server dns2 dns1
vpngroup VPNGroup default-domain localdomain
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password grouppassword
username vpnclient password vpnclient-password
sincerely
Patrick
05-02-2005 10:00 AM
When I change the local pool from 192.168.1.0 to our actual internal subnet, the vpn works as it should. I have tried the above config using 192.168.1.0 and that's why I seem to have routing problems. If I use our own internal subnet, there are no routing problems. Is it possible to keep the local pool configured that way?
05-02-2005 03:52 PM
Usually the VPN Pool and the internal network should be two diffrent networks. The best way doing this is using a class C network.
For example: 192.168.1.0 / 24 for the inside network
and 192.168.2.0 /24 for the VPN Pool.
Note that the subnet mask for the VPN Pool cannot be set and is choosen by the class of network.
05-05-2005 06:29 AM
I did everything in your posts and now my vpn is working beautifully. Thank you so much!
05-09-2005 08:23 PM
hi all..
thanks for your time and assistance.. it is working now.. the SSH access and the PDM ..
thanks again,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide