Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
3
Replies

Cisco SOHO 91 VPN, no traffic coming back through tunnel

mrjaylewis
Level 1
Level 1

‎05-12-2007 12:42 AM - edited ‎02-21-2020 03:02 PM

Hi All,

I set up a simple VPN on my Cisco SOHO 91 using info that I've found around

the net and I'm having what seems to be an access list or maybe a NAT

problem. I can connect with the Cisco 4.6 VPN Client and I see packets

getting encrypted and decrypted, and the route listed in the client while

I'm connected looks fine, 10.10.10.0 255.255.255.0, but I still can't ping

anything on the LAN. Actually, I can ping but I'm not getting any packets

to come back through the tunnel. I've debugged ICMP so I can see the

responses being sent to the client but as I said, nothing comes back through

the tunnel. My other suspicion is that it's a NAT issue and it's somehow

not forwarding packets back through the tunnel. Anyway, I've included my

config below, if you could take a look and give me some advice on how to fix

it I'd appreciate it. By the way, I have an early version of the SOHO 91 so

I really can't upgrade the IOS because it's already has it's maximum amount

of memory at 32mb. I believe my version supports everything I'm trying to

do since I can connect and secure the tunnel with no problem, so hopefully

you all have an answer for me. I have to do all this manually because you

can't run SDM on a SOHO 91, but I've compared my config to an SDM version

and it looks pretty solid, but I'm sure I'm missing something. My version

info follows, and then the current config. And by the way, any other advice

about my config is welcomed...

Thanks very much, Jay.

Version info:

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT

RELEASE SOFTWARE (fc1)

CISCO SOHO91 (MPC857DSL) processor (revision 0x300) with 31130K/1638K bytes

of memory.

Processor board ID AMB08310BH3 (878404472), with hardware revision 0000

CPU rev number 7

Bridging software.

2 Ethernet/IEEE 802.3 interface(s)

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Config: Attached.

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎05-14-2007 07:38 PM

Hi

Whats the ip address you are getting on the vpn client ?

can you also check whether your client is visible on the router side ?

You can refer the below link to make sure that you are meeting all the prerequisite before establishing the tunnel..

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16

regds

0 Helpful

mrjaylewis
Level 1
Level 1
In response to spremkumar

‎05-18-2007 08:28 PM

Hi spremkumar,

I am getting an address from the pool that I specified but no, I can not ping it from the router, that's why I thought the access-list might be messed up. Now that I've looked at some of the documents at the link you provided, I think that this one applies best to my configuration so I'm going to do some more reading and adjust my configuration.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml

Thank you,

Jay.

0 Helpful

mrjaylewis
Level 1
Level 1
In response to spremkumar

‎06-03-2007 04:40 PM

spremkumar,

I did some more research and some debugging and decided that it is definitely a NAT and access list problem... When I ping into the tunnel to any valid 10.10.10.X address the icmp debugging shows that the 10.10.1.X IP of my vpn client is administratively prohibited. By the way, I decided to create the local pool outside of my normal dhcp range and removed the excluded-address statement so I could better distinguish the VPN addresses from my regular dhcp pool and so it definitely wouldn't cause a conflict. So I changed the pool in my config to the following:

ip local pool dynpool 10.10.1.1 10.10.1.254

And the access-list to this:

access-list 199 permit ip 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255

But I still don't really understand how to exclude the tunnel traffic from the NAT process. I think I should be using a route map from what I've read, but I can't seem to figure it out yet. I'm pretty sure that once I get the vpn traffic excluded from the nat process and get the access-list straight it's going to work, since I can connect with no problem...

Any help you can provide would be awesome, I've been fiddling around with this for a while...

Thanks,

Jay.

0 Helpful
Customers Also Viewed These Support Documents