10-31-2008 06:33 AM - edited 03-09-2019 09:45 PM
Hi Experts,
I am running into some issue. I have site to site vpn which is running great. Now I am trying to configure remote access to my clients through vpn client.
The problem right now is that only one crypto map is supported per interface.
I understand that i need to create subinterface on my serial one but which ip address i can use since i have subnet 30 and no more external ip's are available for me
I hope my question is clear
thanks for your help
10-31-2008 07:05 AM
Hi, you dont have to cnofigure a sub-interface. You need to configure, site-to-site and remote access VPN in the same crypto map.
The cripto map has orders... 10..20..30 until 65535, and they are processed from down to up number.
You need to configure a crypto dynamic map, and then tie this dynamic in the crypto map that is already in the interface.
10-31-2008 07:11 AM
in addition to previous post here is a link to a doc which covers configuring both site-to-site and VPN clients on the same router.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Jon
10-31-2008 09:19 AM
thanks guys for replies.
i did follow the link above and i can get in and even receive ip address , however no internet browsing nor browsing into my Lan
i guess i am missing something
Thanks again
10-31-2008 09:51 AM
Have a look at this link which covers the most common conenctivity problems for both site-to-site and remote access VPN's -
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Jon
11-03-2008 12:14 PM
Hi,
thanks for the link still no luck with my dynamic vpn access
I still can't ping my Lan from VPN nor browse the internet here is my config.
please let me know what i am doing wrong
Thanks again
hostname myrouter
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-6.T2.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -7
!
!
voice-card 0
no dspfarm
!
!
!
username 1 privilege 15 secret 5 $1$INVD$TZsrqqtNTJx5FGNgDLKAG.
username 2 privilege 15 secret 5 $1$eLwX$vjRn0J6/HCwhfRU0jaRqE.
username 3 privilege 15 secret 5 $1$OPSY$k3d/vmDP1SUu5utDtHICb.
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key key12
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key key10 address 6.6.6.6
!
crypto isakmp client configuration group testgroup
key key12
dns 192.168.0.168
domain vi.us
pool ippool
crypto isakmp profile vpnclient
description vpn profiles
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set zuzu esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map nolan 5
set transform-set myset
set isakmp-profile vpnclient
!
!
crypto map nolan 10 ipsec-isakmp dynamic nolan
crypto map nolan 15 ipsec-isakmp
set peer 6.6.6.6
set transform-set zuzu
match address 120
!
!
!
!
interface FastEthernet0/1
description LAN
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
!
interface Serial0/0/0
ip address 2.1.2.9 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
shutdown
!
interface Serial0/1/0
ip address 20.1.2.5 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
service-module t1 clock source internal
crypto map nolan
!
interface Vlan1
no ip address
!
router rip
passive-interface Serial0/1/0
network 192.168.168.0
network 192.168.200.0
!
ip local pool ippool 192.168.6.1 192.168.6.5
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 192.168.0.0 255.255.255.0 FastEthernet0/1
ip route 192.168.6.0 255.255.255.0 Serial0/1/0
ip route 192.168.200.0 255.255.255.0 Serial0/1/0
!
ip flow-top-talkers
top 30
sort-by bytes
!
ip http server
no ip http secure-server
!
l
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.168.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 20.1.2.5 0.0.0.3 host 6.6.6.6
access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 125 permit ip 192.168.168.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 deny ip 192.168.168.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map ISP2 permit 10
match ip address 130
match interface Serial0/0/0
!
route-map nonat permit 10
match ip address 130
match interface Serial0/1/0
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 3 in
!
no scheduler allocate
!
no inservice
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide