Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1862
Views
10
Helpful
16
Replies

Router VPN Vlan access

JLVB83
Level 1
Level 1

‎11-11-2021 11:13 AM

Hey folks,

 

I've got my VPN setup I can make connections to the VPN, but I can't figure out the last steps required to allow the machines connected to my interface Virtual-Template1 to access my VLAN 3 here is my config as it stands:

 

 

Using 5367 out of 262136 bytes
!
! Last configuration change at 18:08:36 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username jlvbvpn privilege 15 password 7 123D171E011F0D0A242A37293F382B00134453510518
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.2.100 192.168.2.150
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 50.65.168.1
ip route 0.0.0.0 0.0.0.0 50.65.168.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end

 

 

Labels:
16 Replies 16

JLVB83
Level 1
Level 1
In response to Georg Pauwen

‎11-22-2021 03:19 PM - edited ‎11-22-2021 03:34 PM

I did that too with no luck, now the really weird thing is if I have the virtual-template setup as inside zone and remove the inside zone form Gi0/1.1 I can't ping my host until i remove the virtual-template from the inside zone as well.  As far as I can tell none of the settings seem to mater much on the loopback adapter only when I make changes to the virtual-template do I see any changes occur.  This is a real good stumper.

 

Edit: if I make both Gi0/1.1 and Virtual-Templae1 outside zone I can ping, so its almost like I can't make the virtual-template an inside zone maybe I need to add a bunch of out to in firewall rules

JLVB83
Level 1
Level 1

‎11-22-2021 06:00 PM

Well at this point after trying to add a bunch of zone based rules(and ending up in the same boat able to ping gateway but nothing on the inside zone) I can only assume that my virtual-template does play nice with zone-membership as I see no difference with the inside security on or off inside or outside with my current VPN config.  If zone based security is turned off on any vlan adapter I get full access to the vlan I may look into access list security for a few specific devices on my network and create a separate vlan for those devices.  I appreciate all the help received and did learn a bunch in the process.

 

 

thks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card