01-02-2009 12:47 AM - edited 02-21-2020 03:11 AM
Hi, I have configured a 877 as a Easy VPN server. When a client connects to the VPN we can only reach the native vlan:
VPN clients: 192.168.2.0/24
VLAN 1(native): 192.168.1.0/24
VLAN 100 (voice): 192.168.100.0/24
There must be something wrong in the config, but I can't find the error. This is my config:
aaa new-model
!
!
aaa group server radius sdm_vpn_xauth_ml_1
server 192.168.1.201 auth-port 1645 acct-port 1646
!
aaa group server radius sdm_vpn_group_ml_1
server 192.168.1.201 auth-port 1645 acct-port 1646
!
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool DHCP_pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 192.168.1.3 80.58.61.250 80.58.61.254
netbios-name-server 192.168.1.3
domain-name nirgal.es
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name nirgal
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNNirgal
key 08nirgal0708
dns 192.168.1.3
wins 192.168.1.3
domain nirgal
pool SDM_POOL_1
acl 100
max-users 254
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group VPNNirgal
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-AES128-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address <public ip> <netmask>
ip nat outside
ip virtual-reassembly
pvc 8/32
encapsulation aal5snap
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered ATM0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description LOCAL LAN
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <next hop public ip>
ip route 0.0.0.0 0.0.0.0 192.168.1.252 2
ip route 192.168.100.5 255.255.255.255 192.168.100.254
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map No_NAT interface ATM0.1 overload
!
!
access-list 100 remark VPN_CLIENTE
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark NAT_INSIDE_VPN
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
no cdp run
!
!
route-map No_NAT permit 1
match ip address 101
!
radius-server host 192.168.1.201 auth-port 1645 acct-port 1646 key 7 <key>
!
Thanks.
01-05-2009 03:06 AM
Any solution?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide