Question

Locked

Easy VPN Server on Cisco 851 with IOS 12.4

By vhrocker ·
I am having a heck of a time accessing my network through VPN. I have a Cisco 851 router, using Easy VPN Server config and the Cisco VPN Client 5. I have setup and can establish a connection, even split-tunneling. I CAN NOT access my server or network shares.

Has anyone had and solved this issue? I have read many posts, configurations, Cisco Documentations, and I still can not get it.

I have tried using different IP Pools (same as local, different than local)

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Windows Kerberos uses UDP by default

by robo_dev In reply to Easy VPN Server on Cisco ...

UDP is connectionless and packets that are fragmented arrive out-of-order and are dropped. You must configure Client to use TCP for Kerberos.

http://support.microsoft.com/kb/244474

Collapse -

....

by vhrocker In reply to Windows Kerberos uses UDP ...

I'm not exactly following why this is relevant. I can't even ping ANYTHING on the other side of vpn.

Collapse -

Get this figured out?

by krueger_alex In reply to Easy VPN Server on Cisco ...

vhrocker,
Did you ever figure out the solution to your problem? I've got the same issue...

Collapse -

YES

by vhrocker In reply to Get this figured out?

I ended up figuring it out... mostly on my own as I usually do. The problem was totally related to subnetting. Both sides need be on separate subnets. To keep it short, the subnet on mine mask would be 255.255.255.192. Local addresses: 192.168.4.1-63; VPN addresses: 192.168.4.64-127.

This gives you possibility of 4 subnets of 63 hosts each. (my numbers may be a little off, but it works)

That will put both vpn clients and local clients on same network, but different subnets.

What you need to do is redo your DHCP pool and vpn config.

Let me know if you still need help.

Collapse -

Excellent!

by krueger_alex In reply to YES

That did it! Thank you!
What I actually did was keep my LAN on the 192.168.3.0 subnet, and put my incoming VPN on the 192.168.2.0 subnet, with a mask of 255.255.0.0. I would never have thought that was the fix! How odd.....
Anyway, since you offered more help; I can not access the internet when I VPN in. I realize it could be any number of things I don't have quite right, but does anything obvious come to mind?
Again, thanks for your help!

Collapse -

You need to

by vhrocker In reply to Excellent!

You need to "Enable Split Tunneling".

If you are using the SDM, go to Configure->VPN-> VPN Components->Easy VPN Server-> Group Policies

You should then see the group you made there (or multiple). Edit the group click the "Split Tunneling" tab and enable

HOWEVER! I do remember reading about some security issues with this setting so make sure to read up on it if security is an issue. It is not a big issue in my case.

Collapse -

OK, but still missing something...

by krueger_alex In reply to You need to

I've enabled split tunneling, but to no effect. Is there something else I need to do (with NAT perhaps?) to get it to work?
The security is not a big issue in my case either...

Collapse -

Nothing off the top of my head...

by vhrocker In reply to OK, but still missing som ...

but let me check out my configuration and see. I haven't used it in a while, but I know it all worked. an you post your config in the meantime (all personal info out of course).

Collapse -

I got it...

by krueger_alex In reply to Nothing off the top of my ...

Your advise about split-tunneling made me go back and look at my split-tunneling settings. I had been using this ACL with my split tunnel:
permit ip any any
So I thought "hmmmmm....." and changed it to:
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
The .3 subnet is my LAN, and the .2 is what I assign to the VPN clients.
I don't know if that's the best or most elegant way to do it, but it works and I'm happy.
Since you've been such a huge help, vhrocker, can you perhaps help me with my last problem? I posted it here:
http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=273778&messageID=2594253

Back to Networks Forum
10 total posts (Page 1 of 1)  

Hardware Forums