Thanks Raga. It turns out my ACL using TCP/UDP worked fine. I don't have full control over the remote end of this connection and it was just an config problem at the other end.The problem I was having was due to "fat fingering" an ACL. Sorry. ... View more

Sorry it didn't work, Walter. I've been using Sun VirtualBox (now owned by Oracle). I use the current version. I doubt that's the problem though, since you are able to ping the 10.1.1.1 interface from your VM. Here's a link on how to set up VirtualBox in GNS3 if you really want to try it. But, like I said, I don't think that's the problem. DOH! LINK! http://altbiz.wordpress.com/ ... View more

It should be working. So one of two things is happening: 1. GNS3 or the IOS image you're using in GNS3 is screwing up. It happens. 2. I missed something. It also happens. Assuming #2, take a couple of things out of your crypto isakmp client configuration group config: the netmask and the acl statement. See if that works. Also, see if you can ping the external and internal interfaces of the router from your VPN client while not connected to the VPN. You should be able to ping either one since you're not using NAT. Assuming #1 is the issue, try a different IOS image and load the exact same config. I've had similar problems using GNS3 with some VPN and EIGRP labs that I've done, and switching images has worked. ... View more

Hi Walter, Do you have another router or device attached to fa0/1 in GNS3? If not, the interface might not be fully up. Do a "show ip int brief" and if fa0/1 is "up down," you might just need to add a device so the interface is fully up. By the way, get rid of that "ip route 10.77.241.0 255.255.255.192 s0/0" command. Since that is a directly connected route, it isn't necessary, and the VPN definitely doesn't need it. It might confuse things too. Also, sorry I didn't catch the actual address scheme for fa0/1. The access-list 100 statement should read "access-list 100 permit ip any 10.77.241.128 0.0.0.63" for most accurate performance. We don't want to send data through the tunnel that isn't necessary. Last, when you're connected to the VPN, in the console window for the router, type "sh crypto ipsec sa active" and hit Enter. Back on your remote client, start pinging. Re-enter the command above on the router and see if the number of packets encrypted and decrypted increases. Even if the pings fail, you can at least see that data is or isn't going through the VPN tunnel. Greg ... View more

Walter, The access-list is probably what's holding  you up. It doesn't require an  entry for your IP address pool address. You want to define "interesting traffic" between the remote client and the VPN endpoint. Delete the current "permit"  for 192.168.2, add the following, and you should be able to ping. This assumes that 10.77.241.157 is a host on the other side of your VPN device. For the sake of the example, I'll assume that you want to access all devices in the 10.77.241.0/24 network. ip access-list 100 permit ip any 10.77.241.0 0.0.0.255 The purpose of the acl argument in the isakmp client configuration group is to only tunnel traffic meant for the protected network and to allow all other traffic to route normally. For example, I want my remote clients to be able to browse the internet without the traffic passing FOUR TIMES across my VPN router (HTTP request IN, HTTP request out, HTTP reply in, HTTP reply out). It's called split-tunneling. So, when I open my web browser and type google.com, the IP address doesn't resolve to my permit statement(s) in the access-list, so my browser directly connects to google.com. Instead, if I type the address of an Intranet server at the company--10.77.241.100 let's say--that address IS in the access-list and so my request is encrypted and routed through the VPN tunnel to the server with that address. Greg ... View more

The following assumes that FastEthernet 0/1 is NAT outside and 0/0 is NAT inside. From global config mode: (just add theses lines to the ACL you already have on outside) ##Access list to permit IPSEC/ISAKMP packets. ip access-list ex outside-interface-in permit udp any host 192.168.1.1 eq isakmp permit udp any host 192.168.1.1 eq non500-isakmp permit ahp any host 192.168.1.1 permit esp any host 192.168.1.1 exit ##Access list for split tunneling so that you can still access internet from your remote client while tunneled to work. ip access-list ex SPLIT_TUNNEL permit ip 10.10.10.0 0.0.0.255 any permit ip 10.20.20.0 0.0.0.255 any exit ##Addresses assigned to remote access VPN clients. ip local pool VPNPOOL 10.40.40.1 10.40.40.20 ##If you already have login authentication and network authorization configured, just stick with what you have. aaa authentication login LOCAL_AUTHEN local aaa authorization network GROUP_AUTHOR local username myvpnuser secret MYSECRETPASSWORD int fa 0/1 ip access-group outside-interface-in in exit crypto isakmp enable crypto isakmp policy 10 hash sha auth pre group 5 lifetime 86400 encryption aes 256 exit crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac crypto isakmp client configuration group MYVPNGROUP dns 10.10.10.5 wins 10.10.10.6 ##whatever they are. key acl SPLIT_TUNNEL pool VPNPOOL exit crypto dynamic map MYDYNMAP 1 set transform-set MYSET reverse-route exit crypto map MYMAP client authentication list LOCAL_AUTHEN crypto map MYMAP isakmp authroization list GROUP_AUTHOR crypto map MYMAP client configuration address respond crypto map MYMAP 10 ipsec-isakmp dynamic MYDYNMAP interface fa0/1 crypto map MYMAP exit I think that's pretty much it. To set up the client, you need the group name (MYVPNGROUP), the outside address of your router, the key from the "crypto isakmp client" section, and your username and password. I highly recommend getting hold of the Cisco Easy VPN client, but this should work with the Windows client. ... View more

Unfortunately, the IDS isn't under support. I bought it to work on my IPS study for CCSP. ... View more