Re: Newbie- IOS Easy VPN Server problem w/ VPN client

brielbriel · ‎02-08-2006

Hi,

Extreme newbie to the Cisco IOS universe here ;-/

I'm trying to configure a Cisco 851 router using SDM to allow several Windows XP laptops to connect to the 851 device via Cisco VPN client version 4.02.

I have a static IP defined for WAN interface, NAT enabled, and a local pool defined for VPN clients on the _same_ subnet as the LAN.

SDM warns that my local pool is the same subnet as my local subnet, and also creates NAT rules to exclude the local pool from being NAT'ed.

When I connect w/ VPN client, the connection works perfectly. I can ping the router at the .1 address. I can ping the client assigned address. But, I cannot ping any other PC on the subnet, nor can I connect to servers on the subnet using known open ports. It appears the me that the NAT exclusion is a double-edged sword, excluding the VPN client pool from being NAT'ed, but also not allowing *ANY* traffic to pass to/from the VPN client from other from/to other addresses on the subnet.

Also, if I look at the status window in the VPN client, the received bytes is always zero, though the sent bytes is always increasing.

I've attached my config. HELP!!

Thanks!

CB

brielbriel · ‎02-08-2006

Oops.. forgot to attach my router config. Here it is. Thanks!

CB

spremkumar · ‎02-09-2006

Hi

Is it possible to change the pool assigned to the vpn clients to a different block ?

from my experince here we had seen some probs related to allocating the ips on the same subnet in continuation with the local lan subnet..

regds

brielbriel · ‎02-09-2006

Hi,

Thanks for the reply.

I did try what you suggest at one point. My local subnet is 192.168.91.0. So, I tried creating a local VPN pool using 192.168.92.200-192.168.92.219 (pool in different subnet).

This seemed to eliminate the conflicts w/ the NAT exclusions. I did however notice other strange behavior (pinging in both directions) that could probably be addressed with access list and/or firewall rule changes.

The thing that blows my mind however is this. You would think that Cisco would provide a way for a VPN client running the Cisco VPN client software to connect to its 850 series router and receive a virtual IP within the LAN subnet, right? In other words, if your LAN subnet is 192.168.1.0, it would make sense that a client connecting w/ VPN client could obtain an IP in that LAN subnet (ie. 192.168.1.200 or similar), so that the router would not need to route traffic between the LAN subnet and a different VPN pool subnet, right?

It appears to me that the conflict would not exist if NAT were not enabled between the LAN and WAN, but it's pretty hard to imagine living without NAT these days. Most small business would have NAT enabled, so, again, the NAT conflict is a serious issue as far as I'm concerned.

If you go to the Cisco website, there is a techincal paper including a step by step procedure for setting up a Easy VPN Server using the Easy VPN Server wizard in SDM, and also listing all the command line commands that would be used to accomplish the same result not using SDM. The interesting thing is that the procedures do not include the NAT warnings I see when I have NAT enabled on my device, and if you look at the command line example, there are no commands to add the NAT exclusions for the VPN local pool. And, yes, in their technical document Cisco uses a VPN pool that is within the same subnet as the LAN subnet. I've followed their procedures to the letter after a factory reset, but it does not work. I should say, it completes, but the VPN client can only send data to the LAN subnet, not receive.

Has anyone made Easy VPN Server work w/ the Cisco VPN software client with the client receiving a virtual IP on the same subnet as the LAN subnet?

Thanks.

CB