topic Re: VPN Configuration on Cisco 2621 in Network Security

VPN Configuration on Cisco 2621

bbellamy — Fri, 21 Feb 2020 06:32:45 GMT

Can anyone help with this strange problem I'm having with

configurating VPN on the Cisco. I can connect with the Cisco Client

succesfuly, but I can only telnet to the devices which are not in

access list 101:

access-list 101 permit ip 10.3.200.0 0.0.0.255 any

access-list 101 permit ip 10.3.100.0 0.0.0.255 any

route-map NIC permit 5

match ip address 101

set default interface FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

The interfaces are configured as below and we're using NAT.

interface FastEthernet0/0

ip address 10.3.1.1 255.255.0.0

ip nat inside

ip policy route-map NIC

duplex auto

speed auto

no cdp enable

interface FastEthernet0/1

ip address XXX.XXX.XXX.XXX 255.255.255.192

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

Is NAT causing the problem???

Re: VPN Configuration on Cisco 2621

gmiiller — Thu, 06 Feb 2003 21:52:33 GMT

I'm not entirely sure what you're trying to do with your policy route-map. So I'll just cover off on my understanding of what your policy routing is accomplishing.

First, I'm never a fan of default routes referring to ethernet interfaces, as you usually end up with a huge arp cache wasting router resources.

Now, for your policy routing, remembering that your default route is fast 0/1.

Your policy route says " If traffic is coming from 10.3.100.0 or 10.3.200.0, and you don't have a route for the destination, use interface fast 0/1"

Your default route would have accomplished this anyway. Are there more entries in your route-map? What is it that your route-map is supposed to do?

Re: VPN Configuration on Cisco 2621

bbellamy — Fri, 07 Feb 2003 09:38:59 GMT

Thanks for your reply, I have included a more detail config below to help further. The route map is configured for connections to Fast 0/0, and if they match the address in 101 then use the Fast 0/1.

When I connect via the cisco VPN client, I connect successfully but can only contact the system who are not specified in 101. How can I modify the config so I can conntact the systems in the 101 poilcy via VPN?

Here's a more detailed config which should help:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group XXXXXX

key XXXXXX

pool nicvpnpool

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

isdn switch-type basic-net3

isdn voice-call-failure 0

mta receive maximum-recipients 0

interface FastEthernet0/0

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

interface FastEthernet0/1

description Kingston Internet

ip address 21X.X.X.X 255.255.XXX.XXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent

no ip http server

access-list 101 remark Internet

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

radius-server authorization permit missing Service-Type

no call rsvp-sync

mgcp profile default

dial-peer cor custom

banner login

########################################

# #

# UNAUTHORISED ACCESS PROHIBITED #

########################################

line con 0

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXX

end

Re: VPN Configuration on Cisco 2621

gmiiller — Tue, 11 Feb 2003 06:00:24 GMT

Suggest that you look at reverse route injection on your crypto.

Re: VPN Configuration on Cisco 2621

bbellamy — Tue, 11 Feb 2003 07:39:22 GMT

Sorry but I dont have much cisco experience - How can I achive this (reverse route injection on your crypto)?

Kind Regards,

Re: VPN Configuration on Cisco 2621

gmiiller — Wed, 12 Feb 2003 05:15:05 GMT

try this:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html#1054344