Skip to main content

default gateway issue - cisco vpn client - ios

More
9 years 11 months ago - 9 years 11 months ago #38513 by blackman
Hi,

I have used your article 'cisco vpn client config - setup for cisco IOS router'. Its great and was nice to find something 'real world'. However, everything works great, apart from the defaukt gateway and mask that get applied to the pc once the VPN is connected.

I am connecting from the 192.168.0. network. I hit the router (2811) and get the correct IP from the pool defined on the client config (10.0.55.240 -248), but the gateway i need is .254 and i get 10.0.55.1 or sometimes 10.0.0.1 and mask is 255.0.0.0 and mask should be /24. I have attached the config below. Any ideas.? I have also attached the 'route print -4' output.

Secondly, how do i add a second client with a seperate DHCP pool. Do i need to have the inside interface unnumbered.

Help!!!

Cheers,

Scott.

IPv4 Route Table (before connected)
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.254 10.0.2.58 30
0.0.0.0 0.0.0.0 10.0.55.1 10.0.55.242 100
10.0.2.0 255.255.255.0 On-link 10.0.2.58 286

IPv4 Route Table (VPN connected)
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.254 10.0.2.58 30
0.0.0.0 0.0.0.0 10.0.55.1 10.0.55.242 100
10.0.2.0 255.255.255.0 On-link 10.0.2.58 286
10.0.2.6 255.255.255.255 On-link 10.0.2.58 100

license udi pid CISCO2811 sn FHK1137F3AT
username scott privilege 15 password 0 test
username comms password 0 C0mm5
username blackmansCplc privilege 15 password 0 DPLwanRul3s
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key DPLwanRul3s
dns 8.8.8.8 10.0.2.6
pool ippool
acl 120
max-users 8
crypto isakmp profile vpn-ike-profile-1
match identity group vpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface FastEthernet0/0
description inside
ip address 10.0.55.251 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description outside
ip address 78.24.116.50 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool ippool 10.0.55.240 10.0.55.248
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 78.24.116.34
!
logging trap debugging
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.0.2.0 0.0.0.255 any
access-list 120 permit ip any host 10.0.55.240
access-list 120 permit ip any host 10.0.55.241
access-list 120 permit ip any host 10.0.55.242
access-list 120 permit ip any host 10.0.55.243
access-list 120 permit ip any host 10.0.55.244
access-list 120 permit ip any host 10.0.55.245
access-list 120 permit ip any host 10.0.55.246
access-list 120 permit ip any host 10.0.55.247
access-list 120 permit ip any host 10.0.55.248
Last edit: 9 years 11 months ago by blackman. Reason: routes again
More
9 years 11 months ago - 9 years 11 months ago #38514 by Chris
Hello Scott and welcome to Firewall.cx.

I'll begin addressing your second question and then move to the first.

The VPN address pool that is assigned to your users is group specific. This means that in your VPN group settings, you define which pool that particular group will use.

In your case, you've created a VPN Group called "vpn":
Code:
crypto isakmp client configuration group vpn

and within that group, you've configured a pool named "ippool" that assigns 10.0.55.240 through to 10.0.55.248 to users connecting to this group.

If you wanted to have a second user who would be assigned to a different pool from the above, then you would need to create a new group that will have a different pool assigned to it. Users connecting to your VPN router with the group authentication credentials of the second group, will automatically obtain their ip address from that pool.

It is important to understand that with Cisco IOS routers, you simply create users and its the VPN client 'Group Credentials' that govern which group the specific user will belong to.

So you can create two entries in your Cisco VPN Client, both to the same VPN Gateway, however each entry can have a different group configured, therefore the same user connects to different groups and therefore has a different ip assined to it (pool) and different access rights (group ACLs).

Coming to your first question, I must admit i'm puzzled. If the configuration you have provided is from a live router, then you've certianly got a lot of missing statements, however I am not sure if this is the root of your problem.

There are no ip nat inside/outside statements configured on you interfaces, however you have a nat overload statement configured (on the inside interface instead of the outside interface!). I also noticed that the ACL 100 statements seem incorrect as they are refering to your remote clients when in fact they should contain your local network only (10.0.55.0).

I'm guessing that part of your problem is that your configuration requires fixing.

I'd advise you to read up on the following articles to help you understand how to configure them correctly:

1) Configuring NAT Overload On A Cisco Router
2) Cisco VPN Client Configuration - Setup for IOS Router

Let us know if the above information proved helpful and helped you resolve your problems.

Thanks.

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Last edit: 9 years 11 months ago by Chris.
Time to create page: 0.148 seconds