Cisco 2801 Router need to add dhcp for VPN connections.

I would like to know the commands for adding dhcp to my cisco 2801 router.  In other words, when a client connects via VPN I would like them to be issued an address from the 192.168.3.x range.  They are cureently receiving an IP address of 172.x.x.x.  Thanks!
A.V.Lead EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I will assume the following information:

private ip: /24

DNS Server:
private ip:
private ip:

WINS Server:
private ip:
private ip:

You will need the following command lines on your router:

router(config)# ip local pool users     <----Defines DHCP
router(config)# ip access-list extended splitremote
router(config-ext-nacl)# permit ip 192.3.0 any
router(config-ext-nacl)# exit
router(config)# crypto isakmp client configuration group RemoteUsers
router(config-isakmp-group)# key engine123
router(config-isakmp-group)# pool userspool
router(config-isakmp-group)# domain
router(config-isakmp-group)# dns
router(config-isakmp-group)# wins
router(config-isakmp-group)# include-local-lan
router(config-isakmp-group)# firewall are-u-there
router(config-isakmp-group)# max-logins 1
router(config-isakmp-group)# exit

I'm assuming you already configure all the crypto maps so I won't write them.  Use my example to compare with your configuration to see where your running-config is incorrect at.  


Les MooreSr. Systems EngineerCommented:
>router(config)# ip local pool users     <----Defines DHCP
Pentrix2, are you sure you want to use a pool that overlaps the internal IP address space?
DNS and WINS servers all fall within this pool . . .

Just thought I'd throw that out there...

>They are cureently receiving an IP address of 172.x.x.x.
Where are they getting these IP's ??
Thanks for pointing that out lrmoore.  I forgot about that.  :)

router(config)# ip local pool users

Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

A.V.Lead EngineerAuthor Commented:
I am not sure all of this applies above.  The users are using pptp to connect.  The pool that the users should pool from are  I beleive I got that part in their correctly because when I coonect now I get an appropriate IP address but the subnet is wrong.  IT says  I have pasted my show run below with a few minor adjustments for privacy.  Keep in mind I am still new at this :)  Do I stll need to add all of the before mentioned is ?  Thanks again!

hostname ****Core
enable secret 5 $1$uABi$v3I3aA/8fRBUvbJCF1USd1
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
resource policy!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef!
no ip domain lookup
vpdn enable
vpdn-group 1
Default PPTP VPDN group
protocol pptp
virtual-template 1
username ****** privilege 15 password 7 13061E0108035578786438213C341A0B13040416080D
username ******** password 7 020707581E0A062F475E1E48574446
username ******** password 7 121806140707050A213B3379616676!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2!
crypto isakmp client configuration group aaaaaaaaa
 key aaaaaaaaaaa
 pool ipsec!
crypto ipsec transform-set myset esp-3des esp-sha-hmac!
crypto dynamic-map dynmap 10
 set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
 ip address 70.169.X.X 255.255.X.X
 duplex auto
 speed auto
 crypto map clientmap
interface FastEthernet0/1
 description $ETH-WAN$
 ip address 66.152.X.X 255.255.X.X
 duplex auto
 speed auto!
interface FastEthernet0/1/0
 switchport access vlan 2
interface FastEthernet0/1/1
 switchport access vlan 2
interface FastEthernet0/1/2
 switchport access vlan 2
interface FastEthernet0/1/3
 switchport access vlan 2
interface FastEthernet0/3/0
 switchport access vlan 3
interface FastEthernet0/3/1
 switchport access vlan 3
interface FastEthernet0/3/2
 switchport access vlan 3
interface FastEthernet0/3/3
 switchport access vlan 3
interface Virtual-Template1
ip unnumbered FastEthernet0/0
 peer default ip address pool pptp
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
interface Vlan1
 no ip address
interface Vlan2
 ip address 70.169.X.X 255.255.X.X
 ip policy route-map ISP1
interface Vlan3
 ip address 66.152.X.X 255.255.X.X
 ip policy route-map ISP2
ip local pool ipsec
ip classless
ip route FastEthernet0/0
ip route 66.152.X.X 30
ip http serverno ip http secure-server
access-list 198 permit ip 70.169.X.X any
access-list 199 permit ip 66.152.X.X any
route-map ISP2 permit 10
 match ip address 199
 set ip next-hop 66.152.X.X
route-map ISP1 permit 10
 match ip address 198
 set ip next-hop 70.X.X.X
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password 7 14001303030B78
Your configuration has this line which is causing them to get the 172.16.3.x address:

"ip local pool ipsec

Change it to this:

ip local pool ipsec

In Cisco pptp is called, Cisco Easy VPN server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A.V.Lead EngineerAuthor Commented:
No I am using the Microsoft client.  As mentioned above, I am now getting the correct IP address because I changed the local pool for pptp.  However I am still unable to access anything on the network even by IP.  I am assuming its because its assigning me the incorrect subnet mask?
Sorry, didn't catch that.  I notice you are not doing any splits here.  Using Cisco VPN Client or Microsoft VPN client is all the same.

Post the output from this command:

router# show crypto ipsec client ezvpn
router# debug crypto ipsec client ezvpn

A.V.Lead EngineerAuthor Commented:
Core#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Core#debug crypto ipsec client ezvpn
EzVPN debugging is on
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.