01-21-2014 03:52 AM - edited 03-04-2019 10:07 PM
Hello,
I am trying to do the following:
I get the VPN established, but cant access internet from my client.
I want to get my public IP on the remote client.
Thanks any help. Have been trying for many hours, failing - so might be some configruation missing og missplaced.
Altibox#sh run
Building configuration...
Current configuration : 4641 bytes
!
! Last configuration change at 11:38:13 UTC Tue Jan 21 2014 by xxxxx
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Altibox
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 4 uL3ahII.qXcmuiG8zcrkZkgNezrXtDCZ.UPBVEbygK2
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization network default local
aaa authorization network VPNGROUP local
!
!
aaa session-id common
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.15
!
ip dhcp pool LAN
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
domain-name xxxx
dns-server x.x.x.3 x.x.x.53
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
license udi pid C892FSP-K9 sn FCZ173992BG
!
!
username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxx
username VPN password 0 vpn
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 3600
crypto isakmp client configuration address-pool local vpnpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group VPNGROUP
key xxxx
domain xxxx
pool vpnpool
acl 144
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list userlist
crypto map dynmap isakmp authorization list VPNGROUP
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet9
description *** Outside ***
ip address dhcp
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description *** LAN ***
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip nat inside
ip virtual-reassembly in max-reassemblies 64
!
ip local pool vpnpool 10.0.1.10 10.0.1.15
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source static tcp 10.0.0.200 80 interface GigabitEthernet9 80
ip nat inside source static tcp 10.0.0.5 8081 interface GigabitEthernet9 8081
ip nat inside source static tcp 10.0.0.5 8080 interface GigabitEthernet9 8080
ip nat inside source static udp 10.0.0.5 8080 interface GigabitEthernet9 8080
ip nat inside source static tcp 10.0.0.253 5002 interface GigabitEthernet9 5002
ip nat inside source static tcp 10.0.0.254 5001 interface GigabitEthernet9 5001
ip nat inside source static tcp 10.0.0.5 1554 interface GigabitEthernet9 1554
ip nat inside source static tcp 10.0.0.5 3389 interface GigabitEthernet9 3389
ip nat inside source static tcp 10.0.0.3 3000 interface GigabitEthernet9 3000
ip nat inside source static tcp 10.0.0.190 3389 interface GigabitEthernet9 4000
ip nat inside source static tcp 10.0.0.3 5000 interface GigabitEthernet9 5000
ip nat inside source static tcp 10.0.0.3 32400 interface GigabitEthernet9 32400
ip nat inside source list 101 interface GigabitEthernet9 overload
ip nat inside source list vpnpool interface GigabitEthernet9 overload
ip route 0.0.0.0 255.255.255.0 xxxxxxxxx
ip route 10.0.1.0 255.255.255.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.0.1.2
!
access-list 101 permit ip any any
access-list 101 deny ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
access-list 144 permit ip 10.0.1.0 0.0.0.255 any
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
logging synchronous
transport input all
!
scheduler allocate 20000 1000
!
end
01-25-2014 12:22 AM
Hi Jared,
I am not sure if this is possible with crypto-map configuration. VPN Internet trafffic arrive via outside interface and should be NATed and again send out via outside interface -> this could be problem.
I would suggest to change your configuration and use virtual-template. This article may help you, let me know if you need any help.
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html
Best Regards
Please rate all helpful posts and close solved questions
01-25-2014 09:05 AM
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.0.1.2
I think there is an error in the example config
I think you need to set the next hop to the routiers loopback adress 10.0.1.1
Not 10.0.1.2, this "network" is not used anywhere in the example, just the loopback interface.
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: