It was my bad. The config is correct but mask must be inverse mask.

ip access-list extended PAT_ACL

deny   ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 any

You must have copied it, just the way I told you to, right?

Please let me know, if that helps.

thanks

Look forward to hear from you.

Still can't ping the int on router. Outbound traffic works from inside

Well, Jeff.

Here is your network setup.

interface FastEthernet0/0

description MVVC Inside

ip address 192.168.8.1 255.255.255.0

and your VPN pool are in the same range basically they overlap.

ip local pool MVVC-VPN 192.168.8.98 192.168.8.128

Here is table to narrow down the IP coming off the your DHCP pool.

This is one alternative you can do, try to narrow down the IP addresses coming off the VPN DHCP pool into ACL as: “192.168.8.96 0.0.0.31” which is in the network “3” from the above table and so your ACL would look like as below for no-nat, however if that does not work, you have to recreate complete separate network segment which does not overlap with any of your physical interface or internal networks.

ip access-list extended PAT_ACL

deny   ip 192.168.6.0 0.0.0.255 192.168.8.96 0.0.0.31

permit ip 192.168.6.0 0.0.0.255 any

I hope that make sense to you.

Let me know please

thanks

Well it would seem my math was right when I looked at the DHCP server just stared from the wrong IP, Corrected the pool. Here is the VPN client log:

8 06:24:57.271 03/15/12 Sev=Warning/3 IKE/0xE3000085

The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

9 06:25:01.490 03/15/12 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination 192.168.252.255

Netmask 255.255.255.255

Gateway 192.168.8.1

Interface 192.168.8.98

10 06:25:01.490 03/15/12 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: c0a8fcff, Netmask: ffffffff, Interface: c0a80862, Gateway: c0a80801.

The problem is a routing issue. I get my IP from the router, but can't ping the router from the pc running the client.

Hi Jeff,

You stated this: "I get my IP from the router, but can't ping the router from the pc running the client."

I assume, you meant "running the client" is VPN client software, right?  if then you must be trying to initiate a VPN session while connected to inside network, correct?  Please answer "yes" or "no".

If you are coming behind the interface "FastEthernet0/1" and/or "FastEthernet0/0" as per your setup, you cannot initiate a VPN session while already connected to inside the network.

Thanks

Look forward to hear from you.

I assume, you meant "running the client" is VPN client software, right? Yes

if then you must be trying to initiate a VPN session while connected to inside network, correct? No

"can't ping the router from the pc running the client."

If you cannot ping the router from the PC, then it appeares to be, your PC and router are not the same network, I assume that your PC is connected to a inside switch that is connected to inside interface of your router.

This problem is different issue as far as this thread is disccussing as "I can connect to the router using Cisco VPN client 5.0.07.0440."

Gee.  I am confused.