Cisco VPN on a router that is not the default gateway?

Posted on 2009-04-01
Last Modified: 2012-05-06
I installed a Cisco 2621 Router that is supposed to provide VPN access into a network. The VPN connects fine, but I am only able to ping a couple of switches. I suspect it is because the Router that is providing the VPN is not the default gatewaty for the network. Is there any way to force the cisco to blindly push all traffic to an internal IP address (the default gateway) or do I just have my access-lists wrong?

Below are the interesting portions of my config.
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group vpn-mobile-user
 pool ippool
 acl 105
crypto ipsec transform-set default-set esp-3des esp-sha-hmac 
crypto mib topn interval 60
crypto dynamic-map default-map 13
 set transform-set default-set 
crypto map mobile-map client authentication list vpn-mobile-user
crypto map mobile-map isakmp authorization list vpn-mobile-user
crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map 
interface FastEthernet0/0
 ip address x.x.x.x
 ip nat outside
 no cdp enable
 crypto map mobile-map
interface FastEthernet0/1
 ip address
 ip nat inside
 speed auto
 no cdp enable
router eigrp 100
 redistribute static
 no auto-summary
ip local pool ippool
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip classless
ip route x.x.x.x
no ip http server
no ip http secure-server
access-list 105 permit ip
access-list 125 deny   ip
access-list 125 deny   ip
access-list 125 permit ip any
no cdp run
route-map nonat permit 10
 match ip address 125

Open in new window

Question by:ulink
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

by:Ilir Mitrushi
ID: 24047738
You are using split tunneling defined by acl 105. This means that the remote client will know only this subnet and will route and encrypt data only for this subnet. You can include more subnets into this list or remove the list altogether, in which case all traffic on the remote client will be routed through the vpn tunnel. For the main site to know how to route traffic to the vpn client you can add reverse-route to your config under dynamic-map or add static routes manually to your config. You can find an excellent series on vpn and other topics at this link
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 24067176
>ip local pool ippool
Just add a static route on the router that is the default gateway, pointing this subnet to this vpn router.

Author Comment

ID: 24088416
That did the trick, thanks
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.


Expert Comment

by:Ilir Mitrushi
ID: 24089171
Out of curiosity, can vpn users on the pool have access to all your internal subnets just by adding the static route on your default gateway router? It was my undestanding that the vpn client will insert routes only for subnets specified on the split tunnel acl.

Author Comment

ID: 24091462
I believe the problem in this case is that packets could get into the network, but nothing could get back out because all packets not destined for the internal network get sent to the Router. SO the Router needs to know how to get the packets back to the ip pool.

Expert Comment

by:Ilir Mitrushi
ID: 24091566
Yes, of course this is the case for traffic coming from the vpn ip pool towards the subnet declared on acl 105. I assumed that you wanted to give access to other internal subnets beside the subnet. This is why I suggested the modification of acl 105. This issue is separate from adding the necessary routes from your main router to the vpn router.

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP routing on Windows 2016 7 161
Network Vs Redistribute Connected Commands 3 86
Hit router interface limit 7 75
BGP max path 2 1 16
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question