09-16-2014 02:25 PM - edited 03-04-2019 11:46 PM
Another tech and myself have been trying for several days to get a VPN working between our homes and our shop. We are both fairly new to VPN(ing) on Cisco and are unsure what we are forgetting to configure. The following is my config from my home router, which mirrors the config for the shop, except with a dialer interface for my ATM DSL module (and with the appropriate IP's swapped). Any help would be greatly appreciated.
Current configuration : 2411 bytes
!
! Last configuration change at 21:12:34 UTC Tue Sep 16 2014 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco2811
!
boot-start-marker
boot system flash c2800avdsecurity.bin
boot system flash c2800nm-advipservicesk9-mz.151-3.T4.bin
boot-end-marker
!
!
enable password 404-NoPasswordFound
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn BL4NK
username admin privilege 15 secret 5 404-NoPasswordFound
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret-key address [PeerExternal-IP]
!
!
crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac
!
crypto map CryptoMap 1 ipsec-isakmp
set peer [PeerExternal-IP]
set transform-set VPNSet
match address 101
!
!
!
!
!
bba-group pppoe global
!
!
interface FastEthernet0/0
ip address 10.40.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
mtu 1492
no ip address
ip tcp adjust-mss 1452
no atm ilmi-keepalive
hold-queue 224 in
!
interface ATM0/1/0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username username@isp.net password 0 404-NoPasswordFound
crypto map CryptoMap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
access-list 1 permit 10.40.0.0 0.0.0.255
access-list 101 permit ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0
login local
transport input telnet ssh
line vty 1 4
password 404-NoPasswordFound
login local
transport input telnet ssh
line vty 5
password 404-NoPasswordFound
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
10-21-2014 11:26 AM
hello,
I just see the configuration, and I noticed that you are missing a NAT 0 statement on the router.
To accomplish on sending traffic across and receive it from this router perspective you will need to do the following:
access-list 111 deny ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 111 permit ip 10.40.0.0 0.0.0.255 any
route-map nonat permit 11
match ip address 111
ip nat inside source route-map nonat interface Dialer0 overload
With these you are avoiding the router to translate the inside hosts when going to --> 10.14.0.0 /16.
Also make sure the other side of the tunnel meet with these, so you won't run into conflicts.
Let me know how it works out.
Please don't forget to rate.
Best Regards,
David Castro,
10-22-2014 11:19 AM
Much like what David said, you shouldn't nat over the tunnel. On both ends, you'll want to deny natting but it can also be done without a route-map:
access-list 111 deny ip 10.40.0.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 111 permit ip 10.40.0.0 0.0.0.255 any
ip nat inside source list 111 interface dialer0 overload
The other side would have:
access-list 111 deny ip 10.14.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 111 permit ip 10.14.0.0 0.0.0.255 any
HTH,
John
10-22-2014 03:26 PM
Hi,
It looks you forgot to define crypto map local-address, I think the solution is:
(config)#crypto map CryptoMap 1 local-address Dialer0
HTH
Houtan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide