- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2010 10:22 AM
I have a Cisco 881 router and try to connect a client (Cisco VPN Client 5.xxx) to this router.
Here is a schema of my network :
LAN (192.168.252.0/24) ------ Router Cisco 881 -------- Router N°2 -------- Internet -------- Router N°3 -------- Client (192.168.1.10)
Router Cisco 881 :
- @IP lan : 192.168.252.1
- @IP wan : 192.168.0.2
- Default gateway : 192.168.0.1
- DNS : 192.168.0.1
Router N°2 :
- @IP lan : 192.168.0.1
- @IP wan : xx.xx.xx.xx
- Port forwarding : 500UDP to 192.168.0.2
- Port forwarding : 4500UDP to 192.168.0.2
I create this VPN profile :
- IP Address of Virtual Tunnel Interface : FastEthernet4
- Mode configuration : RESPOND
- Address pool (for VPN client) : 192.168.254.10 -> 192.168.254.149
- Split tunneling : 192.168.252.0/24
- Authentication : local
- No firewall (for testing only)
When I connect my VPN client for the first time, everything OK : VPN connection is Ok, and I can ping any computer on the lan (192.168.252.0/24)
If I disconnect/reconnect, the connection works, but I can't access any resources on the lan.
If I want to ping computers on the lan again, I have to :
- restart the Cisco Router
- activate/deactivate RIP (in Dynamic Routing section of CCP) : strange isn't it ?
But that will work only for one client connection : If I disconnect/reconnect the client again, then I cannot ping any resources on the lan.
I start to be crazy !
I used a sniffer Tool on a computer on my lan, and I can see ICMP trap (ICMP request).
So ping can come from VPN to LAN, but not LAN to VPN.
Any help would be appreciated.
Thanks
Nicolas
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 03:01 AM
Yes, you forgot to apply the crypto map on the outside interface.
interface FastEthernet4
crypto map VPN_Policy
Hope that resolves the problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2010 06:41 PM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2010 03:18 PM
Seems like you have the exact same symptoms as the following resolved post:
https://supportforums.cisco.com/message/3243270
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 12:08 AM
Hi Jennifer,
thanks for your help
I had a look at your discussion with Timothy. It looks that using CP Easy VPN wizard is not the good way.
So i change my configuration file on the router (modeled on Timothy's one).
My problem now, is that my VPN client cannot connect at the router at all.
I get a "DEL_RESON_PEER_NOT_RESPONDING" error in the log file.
Any idea ?
I didn't change anything on Router n°1 (ISP router) : NAT UDP4500 and UDP500 on 192.168.0.2
Thanks in advance
Nicolas

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 12:18 AM
Can you please share your router configuration (where you terminate your VPN/ i suppose the one where you made the config changes on).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 01:48 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 01:02 AM
Hi Nicolas,
I had exactly the same problem with a 887 series. When I updated the IOS the problem was over. Maybe you can try the same, if you haven't yet ?
Regards,
Ronald
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 01:52 AM
Ronald,
thanks for your solution...
The actual configuration file is c880data-universalk9-mz.150-1.M3.bin
Which update can I use ? Is c880data-universalk9-mz.150-1.M4.bin the most up to date ?
Thanks
Nicolas

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 03:01 AM
Yes, you forgot to apply the crypto map on the outside interface.
interface FastEthernet4
crypto map VPN_Policy
Hope that resolves the problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 03:17 AM
Jennifer... you save my life (and my nerve) !!!
That perfectly work now
I continue some test beforeenclosing this discussion
I can not thank you enough
Nicolas

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2010 03:48 AM
Cheers. Great to hear it's working now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2010 06:20 AM
Hello Jennifer
actually, the Client-to-site Vpn connection is still working... thanks again.
Now, I try to connect my router xxx (Cisco 881) to another router yyy (Cisco 881), and it's not working anymore (in fact, it was working before settings the Client-to-site connection). I use the CCP site-to-site wizard.
Here's the schema of the configuration I'm looking for :
Router xxxx ----------- ISP Router --------- Internet --------- ISP Router --------- Router yyyy
|
|
|
VPN Client
My Vpn client just connect on the first router.
UDP 500 port ( on ISP Routers) are forwarded to wan interface of the Cisco router (both side)
On both side, when i try to connect the VPN tunnel, I have an this error : host unreachable
I joined you the 2 configuration files
Help would be appreciate (again)
Thanks in advance
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2010 06:36 AM
Hi Nicolas,
Can you enable "debug cry isa" and "debug cry ips" on both the routers and forward those debugs? The config looks alright.
is this a new setup or was it working previously? ensure you have the command "crypto ipsec nat-t udp-enc" command on both the routers as well as NAT-T needs to be negotiated here.
Let me know how it goes!!
Cheers,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2010 07:03 AM
Hi Prapanch
Thanks for your answer
It is not a new setup. It was working before I add a Client-to-Site VPN connection on the router xxxx
I cannot acutally access the first router (xxxx).
I enable "debug cry isa" and "debug cry ips" on the second one... but where can i find debugs ?
As you see in configuration files, "crypto ipsec nat-t udp-enc" command is not set.
But it was working without it before...
Strange
Thanks
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2010 07:07 AM
Hi Nicolas,
Enable those debugs and also enter "term mon" on a telnet/ssh session and the debugs should then come up on the terminal session itself.
Cheers,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2010 07:20 AM
