Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
3
Replies

887VA VPN Connected but no SSH or Telnet to LAN Server.

JaseGill71
Level 1
Level 1

‎05-29-2014 08:03 AM - edited ‎03-04-2019 11:03 PM

Hello all,

I have a VPN set up using Cisco EasyVPN with Cisco Configuration Professional.

The ADSL on ATM0 and Dialer0 was also set up using CCP.

The problem I have is that the VPN comes up fine but I cannot SSH or Telnet to a Server on the LAN.  The Server is set up with a fixed IP Address of 10.0.0.2 255.255.255.0 and I can SSH into it from the 887VA succesfully and can also SSH in using another client on the same IP range (on 10.0.0.3).

What I need to be able to do is allow a remote user to SSH or Telnet into the server on 10.0.0.2.  VPN Clients when dialed in are being given ip addresses in the Pool I configured between 10.0.0.100 and 10.0.0.104.

I am at the point where my own expertise, ability to fault trace and understand Cisco IOS is at an end so any help would be greatly appreciated

My configuration is as follows with Username/Passwords redacted for obvious reasons:
 

Building configuration...

Current configuration : 5162 bytes
!
! Last configuration change at 14:44:56 UTC Thu May 29 2014 by §§§§§§§§§
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 887VA
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 oArOwHY.G7mYl96WVWpLXRYl8uu5KW4znvxy.yGI1Bw
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4026781950
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4026781950
 revocation-check none
 rsakeypair TP-self-signed-4026781950
!
!
crypto pki certificate chain TP-self-signed-4026781950
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303236 37383139 3530301E 170D3134 30353233 31323335
  34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30323637
  38313935 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810090C5 FF17806A 8341FFFE ABAC3603 BBFF41A0 820C7622 193DCF0F 67E1A8FC
  7E5F022E D6F1EBD8 CD6004A4 74B772DB B3E80B7B 695BB4AD B930BDC2 0F39717A
  D624429A C7F4D43A B6F6BEBF E3DF07BD 1FAA4B53 8617A82F 92E2421C BBC4277C
  17AB4D11 868A1F6D 6B7FC661 5B8C0CF7 8073B2B6 A61BA7A2 BE723D39 F1267697
  902D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 141FFEE7 7BD65713 428D7FE7 D2136CEA BD25BE08 DD301D06
  03551D0E 04160414 1FFEE77B D6571342 8D7FE7D2 136CEABD 25BE08DD 300D0609
  2A864886 F70D0101 05050003 8181008D DAC24E38 D09D8BB6 03AF4AB8 FF2779B6
  3A921A66 8D7A848D 5B86B190 A79B5826 449CFC87 EB3CD79D BE67FAE5 85C22DDA
  7CEDC9BF 3F437E32 5472D448 B849A2A8 2BAE6B1B 9E476D3B 32111C7B 98843F1C
  8855DFDC 8195E455 70CACB63 1D0788EA 5260BC77 29701D66 9B209274 32C97B64
  3CE977FE A7CA1BA4 C68F6FFE 2FD88D
        quit
!
!
!
!


!
!
!
!
ip name-server 194.72.9.38
ip name-server 194.72.9.34
ip name-server 194.72.0.98
ip name-server 194.72.0.114
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ1806C4Z6
!
!
username §§§§§§§§§ privilege 15 secret 4 oArOwHY.G7mYl96WVWpLXRYl8uu5KW4znvxy.yGI1Bw
username §§§§§§§§ privilege 15 password 0 §§§§§§§§§
username §§§§§§§§ password 0 §§§§§§§§§
!
!
!
!
!
controller VDSL 0
 operating mode adsl2+
 modem ukfeature
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group §§§§§§§§§
 key §§§§§§§§§
 pool SDM_POOL_1
 max-users 5
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_HH_ACDM
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 ip address §§§§§§§§§ §§§§§§§§§
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname §§§§§§§§§
 ppp chap password 0 §§§§§§§§§
 ppp ipcp mask request
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
ip local pool SDM_POOL_1 10.0.0.100 10.0.0.104
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 22 interface Vlan1 22
ip nat inside source static tcp 10.0.0.2 23 interface Vlan1 23
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 transport input telnet ssh
 transport output telnet ssh
!
!
end

887VA#

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎05-29-2014 11:55 AM

Hello

The default  PAT statement should be applicable without specifying static NAT also.

Have you tried removing these two statics nat statements.

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

JaseGill71
Level 1
Level 1
In response to paul driver

‎06-01-2014 02:57 PM

Paul,

I have tried it with and without the static NAT in there and get the same response.
Ive read somewhere, cant remember where that the IP Pool of the VPN connections should not be in the same range as the inside machines themselves.

Could it be as simple as that, it was going to be my next move.

Rgds,

J.

0 Helpful

paul driver
VIP
VIP

‎06-02-2014 01:37 AM

Hello

I didn't even notice the local pool configuration-

To be honest I've never set a easy vpn up - but I assume you try removing it and use dhcp instead?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card