04-24-2011 10:16 AM
hi,
i have configured remote access vpn on my 2801 router's gio0/0 int ip x.x.x.1. i connected my laptop through vpn client from internet. i connected successfully and my vpn router gives me the assigned ip block y.y.y.1. from my laptop i can ping the other int gio/1 ip z.z.z.1 but i cant ping the ip z.z.z.2 of my core sw which is connected on router's int gi0/1. how can i solve this issue. if u have any suggestions then pls provide me.
thank u.
04-24-2011 05:38 PM
Hi,
1) If you have configured split tunnel Check the ACL to see its including the LAN subnet to sending the traffic or not.
2) Check the LAN side to see if its able to send the return traffic to block y.y.y.1 to the VPN Router.
3) Exclude the traffic from the LAN to block y.y.y.1 from being Natted.
Do rate helpful post.
Thanks,
Kasi.
04-25-2011 11:42 PM
Thanks Kasir. now i can ping my remote server through cisco vpn client but problem is that in this time my laptop internet in not available. i want to mention that my gateway router is not use nat. behind my router i m doing nat.how can i solve that at same time my vpn connectivity is fine and also my local internet. thankss...
04-26-2011 12:38 AM
Hi Ahmed,
As per my understanding the VPN Router is not configured for NAT and your Local Router is configured for NAT. When you connect to the Remote site via your Laptop, VPN is fine but not the Internet. When you do not use VPN the internet is fine. Am i right?
If that is the case configure split tunnel so that the internet traffic go through the local router.
It would be like below.
crypto isakmp client configuration group GROUP_NAME
key XYZ
pool POOL_NAME
acl SPLIT
ip access-list extended SPLIT
10 permit ip y.y.y.0
20 permit ip y.y.y.0
Please post your configuration so that I can verify.
Do rate helpful post.
Thanks,
Kasi.
04-26-2011 02:51 AM
Thanks Kasi but i dont have any local router. i m trying to connect to the Vpn Router through internet from my laptop Vpn client software. now pls tell me what i have to do to make the vpn session and also surfing the internet at a same time.
Thanks...
04-26-2011 04:04 AM
Just apply the same configuration I provided in the previous email in the VPN Router.
crypto isakmp client configuration group GROUP_NAME
key XYZ
pool POOL_NAME
acl SPLIT
ip access-list extended SPLIT
10 permit ip y.y.y.0
20 permit ip y.y.y.0
If posible post the current config.
Thanks,
Kasi
04-26-2011 04:35 AM
Its not working. the result is the same..
04-26-2011 04:59 AM
Why cant you post the config?
Thanks,
Kasi
04-26-2011 11:22 AM
Hi Ahmed,
All you need is one line per any inside subnet in your split tunnel ACL, so:
crypto isakmp client configuration group GROUP_NAME
key XYZ
pool POOL_NAME
acl SPLIT
ip access-list extended SPLIT
10 permit ip z.z.z.0
Where y.y.y.0 is your IP pool for the clients and z.z.z.0 is the inside network you need to access via VPN, so it is somehow reversed where (SOURCE=inside subnet, DESTINATION=IP POOL).. If there are more inside networks behind your core switch that you need to access via VPN, add lines for them in the access list.
To verify, open a CMD and do a "route print" on your PC while it is connected using VPN client. Check that only your remote inside subnets have a gateway from the pool (y.y.y.0)
Hope it helps..
Best wishes,
Motaz Khraisat
04-27-2011 08:22 PM
Thank u very very much Motaz. its working.Thank u. i have another issue.pls help me out. i configured a local pool of ip address for remote access vpn.the problem is that when i disconnect the vpn , the ip is not released by the router. i also tried some command like clear mac-address-table or something but its not works. the only way to release the ip address is reboot the router and this is not a good solution. if u have any suggestion then pls help me out. thank u....................
04-27-2011 11:24 PM
Hi Ahmed,
I'm glad it worked.. For the second issue, are you disconnecting gracefully? I mean you are literally clicking on "Disconnect" in the right way? If yes,I think you need to upgrade your software to the latest interim/maintenance release, I remember that I saw this issue before and it was a defect in the software..
If it is only happenning for ungraceful disconnections (i.e. the internet went down on the client's side) then it will get released after the keepalive period elapses (the time until the router finds out that the peer is dead) ..
Hope it helps.. Tell me how it goes
Best wishes,
Motaz
04-29-2011 12:00 AM
hi motaz,
i m disconnected the vpn session by clicking disconnect button on cisco vpn client software.so in this case i have to download the updated vpn client software. now i used cisco vpn client software version 5.0.04.0300. ok i m trying to download the latest vpn client software and then let u know whether it is worked or not. Thanks.......
04-29-2011 12:29 AM
Hi Ahmed,
I didnt mean upgrading the VPN client.. I meant the software release of the router itself..
Best regards,
Motaz
05-01-2011 08:35 PM
sorry motaz my mistake. so now i have to upgrade the router ios. ok i will upgrade the router ios then let u know.by the way i m using 2911 router and ios is universalk9-15.0.1 M4. thank u.
05-04-2011 02:53 AM
Dear Motaz,
thank u very much for ur previous suggestions. now i need to know one thing that it is possible to config remote access vpn in my router and in my laptop i want to use normal windows vpn dialer. i think it is possible. if it is possible then motaz do u have any idea how to do that, if u have any suggestions or step by step configuration then pls let me know. thanks in advanceee.........
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide