05-31-2002 06:06 AM - edited 02-21-2020 11:46 AM
Hi
I have create a vpn tunnel from a vpn client to cisco 2600, the question is, even i have the Pool address same as the internal LAN address, after i created the tunnel, i cannot PING to any machine inside the network, unless i add a static route on some local machine.
Same setup on a pix, i can just PING to everybody inside the LAN without adding specific static route. So what's the different between these two setup.
05-31-2002 07:17 AM
sounds like routing problem as you identified. difficult to say without topology or routing information. What is the routing config on the IOS ? Are the internal LAN addresses that you are trying to reach on the same subnet as IOS private interface or some hops away from the router. ?
What is the default gateway on the destination host ?
Difficulat to answer without topology and routing info.
05-31-2002 02:27 PM
aaa new-model
!
aaa authentication login user-test local
aaa authorization network group-test local
aaa session-id common
enable secret 5 $1$Fyj3$p3HStbnvvB080.tuNgQI30
!
username Watarai password 0 ######
username syscom password 0 ######
ip subnet-zero
!
crypto isakmp policy 3
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SyscomPool
!
crypto isakmp client configuration group TestGroup
key syscomusavpn
dns 172.16.4.42
wins 172.16.4.40
domain syscomusa.com
pool SyscomPool
acl 101
!
!crypto ipsec transform-set SyscomSet esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set SyscomSet
!
crypto map SyscomMap client authentication list user-test
crypto map SyscomMap isakmp authorization list group-test
crypto map SyscomMap client configuration address respond
crypto map SyscomMap 10 ipsec-isakmp dynamic dynmap
!
fax interface-type fax-mail
mta receive maximum-recipients 0
interface Ethernet0/0
ip address 64.32.177.3 255.255.255.240
half-duplex
crypto map SyscomMap
interface Ethernet0/1
ip address 172.16.4.15 255.255.255.0
half-duplex
!
ip local pool SyscomPool 172.16.4.215
ip classless
ip route 0.0.0.0 0.0.0.0 64.32.177.14
no ip http server
ip pim bidir-enable
!
access-list 1 permit 172.16.9.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 any
!
This is the code which i had, do i need more ip route than just that one?
i can create the tunnel, but from the client statistic, only output(encrypt) packet, no input(decrypt) packet at all.
anyone has any suggestion would be appreciate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide