topic My VPN doesn't work.!!! in Network Security

My VPN doesn't work.!!!

Antonio Brandao — Fri, 21 Feb 2020 09:52:58 GMT

Hi All,

I configured a sample VPN in a 2611 Router to connect via Cisco VPN Client Sfw from a Remote PC on internet.

When the tunnel is estabilished, all networks stop to work in my PC.

I can't access the LAN inside.

Could anybody help me to solve this problem ?

Follow my config :

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

hostname mtech_lab_rt1

boot-start-marker

boot-end-marker

enable password xxx

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

aaa authentication login LOCALUSERS local

aaa session-id common

ip subnet-zero

ip domain name xxx.com

ip cef

ip audit po max-events 100

username dticsco password 0 xxx

ip ssh time-out 60

ip ssh authentication-retries 2

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group HOME

key xxx

dns 192.168.0.4

domain xxx.com

pool CLIENT_ADDRESSES

crypto ipsec transform-set MTECHVPN_SET esp-3des esp-sha-hmac

crypto dynamic-map CLIENT_MAP 1

set transform-set MTECHVPN_SET

reverse-route

crypto map MTECHVPN_VPN client authentication list LOCALUSERS

crypto map MTECHVPN_VPN isakmp authorization list LOCALUSERS

crypto map MTECHVPN_VPN client configuration address respond

crypto map MTECHVPN_VPN 100 ipsec-isakmp dynamic CLIENT_MAP

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map MTECHVPN_VPN

ip local pool CLIENT_ADDRESSES 192.168.2.1 192.168.2.10

ip nat inside source list NATLIST interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.6 25 41.x.x.15 25 extendable

ip nat inside source static tcp 192.168.0.6 110 41.X.X.15 110 extendable

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

ip route 192.168.0.0 255.255.255.0 FastEthernet0/0

ip access-list standard NATLIST

permit 192.168.0.0 0.0.0.255

dial-peer cor custom

line con 0

location work

exec-timeout 30 30

password cisco

line aux 0

password cisco

line vty 0 4

transport input ssh

end

Thanks

Re: My VPN doesn't work.!!!

ajagadee — Wed, 30 Jan 2008 03:40:06 GMT

You have to bypass NAT for traffic from your LAN to the VPN Client Pool of IP Addresses. Please follow the below URL for configuration details.

http://www.cisco.com/warp/customer/707/static.html

Regards,

Arul

** Please rate all helpful posts **

Re: My VPN doesn't work.!!!

Antonio Brandao — Wed, 30 Jan 2008 08:03:33 GMT

Hi Arul,

I did not understand how i will apply this this information in my scenary.

Do you have sure that is same scenary ?

Please notice that in my topology, i have a router that receives a VPN from remote teleworks, in diferents subnets, and is not a scenary point to point how explain the example that you sent.

Re: My VPN doesn't work.!!!

dominic.caron — Thu, 31 Jan 2008 14:27:36 GMT

What Arul said is not bad. Even if it's not the main cause of your problem, your DNS will not be reachable from the tunnel.

Every answer to your client from your DNS will be NATed. Your client will not accept it.

Re: My VPN doesn't work.!!!

Antonio Brandao — Thu, 31 Jan 2008 14:42:12 GMT

Hi Dominic,

Sorry, but i don't understood .

Im newbie in VPNs.

In the pratice what i have to do to my network become visible to my vpn client.

Wich is the NAT rule that i have to create.

Tks.

Re: My VPN doesn't work.!!!

Antonio Brandao — Mon, 04 Feb 2008 17:16:13 GMT

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

hostname mtech_lab_rt1

boot-start-marker

boot-end-marker

enable password MtechP@zz11E

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local

aaa session-id common

ip subnet-zero

ip domain name mydomain.com

ip cef

ip audit po max-events 100

username antonio password 0 tonhao01

username dticsco password 0 dt!czc0

username ricardo password 0 ric123

username belarmino password 0 bneves0511

ip ssh time-out 60

ip ssh authentication-retries 2

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group MTECHVPN

key Mdt@Vpn!zz030459

dns 192.168.0.4

wins 192.168.0.4

domain mydomain.com

pool ippool

acl 101

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map clientmap client authentication list USERAUTHEN

crypto map clientmap isakmp authorization list GROUPAUTHOR

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map clientmap

ip local pool ippool 10.1.1.10 10.1.1.20

ip nat inside source list 111 interface FastEthernet0/1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit ip any any

dial-peer cor custom

line con 0

location work

exec-timeout 30 30

password 7 02050D480809

line aux 0

password 7 0822455D0A16

line vty 0 4

transport input ssh

end