Rick

my mistake

we are testing our gsm devices for vpn and the ip given are for test pc so its for remote desktop

regards

Aftab

Davy

While this is a very logical suggestion, it is not how the ACL for interesting traffic for VPN works. Each side of the VPN connection only needs to permit the "interesting" traffic from their side. The operation of the ACL is smart enough to handle response traffic, without requiring explicit configuration of permits for the response traffic.

Aftab

It is helpful to know that the problem is RDP and not telnet. So thanks for the clarification.

There are a couple of things that I would suggest:

- is it possible that the PC to which you attempt to connect is running a firewall and the firewall is preventing access?

- can you test connectivity from the main site to the remote site PC, ping or traceroute?

- can you verify that the PC will accept RDP sessions? Can you RDP to it from a PC on its local subnet?

HTH

Rick

[added]  I am interested in your reference to gsm devices. Can you tell us a bit about this and how it relates to the VPN connection?

You're right!

Also usefull is to do a ping to the station or its default gateway

Hi

I have completely remove the previous config and configure newly now the vpn tunnel is working fine i can access remote desktop of my pc in vlan 20 from other side but now pc in vlan 20 is unable to access internet and if i apply access-list to allow the traffice vpn tunnel goes down given below is the curren config

Router#sh running-config

Building configuration...

Current configuration : 1523 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$uiYN$LFoF7dtH2wm8haGjFIXRO/

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

!

!

!

!

username scg privilege 15 secret 5 $1$n1xQ$Rlf9XVA67WZ5lxPKPyUo90

!

!

controller DSL 0

line-term cpe

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

!

crypto dynamic-map DMAP 1000

set transform-set TSET

set pfs group2

match address 100

!

!

!

crypto map SMAP 10 ipsec-isakmp dynamic DMAP

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 20

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 94.x.x.x 255.255.255.248

crypto map SMAP

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

ip nat enable

!

ip route 0.0.0.0 0.0.0.0 94.x.x.x

!

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler max-task-time 5000

end

thanks and regards

Aftab Ahmed

Aftab

I am glad that your new config has resolved the problem with VPN and RDP access. I believe that the reason that the PC can not access the Internet is that it is configured with private addressing (192.168.0.x) and there is not any address translation configured. If you configure address translation then the PC should have Internet access.

Be careful that configuring address translation does not impact the existing VPN functionality. And at least now, if you configure address translation and theVPN stops working then you will know exactly where to look to find the problem.

HTH

Rick

Rick

thanks for your reply as i had configured nat and its access list to allow access to internet for client in vlan 20 but after doing this vpn traffic stop

given below is the previous config

p nat inside source list 101 interface Vlan10 overload

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access list 100 is for vpn traffic and access list 101 is for internet

regards

Aftab Ahmed

Hi Aftab Ahmed,

ACL looks good. Please check if you have "ip nat enable" on both inside and outside interface.

Thanks,

Kasi

Hi kasi

thanks for your reply actually the problem is with vpn traffic when ever i allow internet traffic vpn traffic goes down

regards

Aftab Ahmed

Hello,

Can you try the below config once again.

interface Vlan10

ip address 94.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map SMAP

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

If the above config works, I believe you need to have IP nat enable on both inside and outside interface for VPN to differenciate the traffic. If possible attach the complete config.

Thanks,

Kasi.

Kasi

given below is the previous config in which vpn traffic stopped and internet goes ok

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

!

crypto dynamic-map DMAP 1000

set transform-set TSET

set pfs group2

match address 100

!

!

!

crypto map SMAP 10 ipsec-isakmp dynamic DMAP

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 20

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 94.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map SMAP

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

ip route 0.0.0.0 0.0.0.0 94.x.x.x

!

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface Vlan10 overload

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler max-task-time 5000

end

Dear ,

Do you have a static IP for rthe other end VPN Peer . If so I prefer to configure to mention that static IP

crypto isakmp key Cisco address x.x.x.x (where X.x.x.x is the VPN peer ip address)

crypto dynamic-map DMAP 1000
set peer X.x.X.x

Other thing, after enabling VPN are you able to see the nat translations on the router ?  Which DNS you are using ? Are you able to ping any outside IP address after enabling NAT or it is just a browsing issue

Regards

Haris P

Haris

I dnt have a static ip on other side thats why configured dmap

2ndly when i configured nat vpn traffic goes down the main problem is of vpn traffic not the access to internet

regards

Aftab Ahmed