Hello, Finally i managed to fix the issue with the vlan at the core switch, the problem was with the NAT and the ACL. The config is the following: ip nat inside source list 110 interface Ethernet1/0 overload ! ! access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255 access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 110 deny ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255 access-list 110 permit ip any any Access list 100 is for the traffic which will pass from the VPN tunnel (if you have many vlans then u need to add all, otherwise if you have a mac server on the Vlan 1 then you can access to all the client through ARD). Access list 110 deny the NAT to the same networks, the result is the VPN client will be able to connect to both networks. Also the config is working with ipsec over TCP and ipsec over UDP port 10000 Regards, Andy
... View more
Hello Mohammad, i applied the access list and the show command is the following: Extended IP access list 105 10 permit icmp host 172.16.1.6 host 10.0.0.2 20 permit ip any any (292 matches) I applied it to the interface but couldn't ping the server. Also when i trying to ping the core switch the access list have matches only to the permit ip any any but should have to the first one right?
... View more
Hello Ajay, After the upgrade and the command which you mention is working and i can connect with the mac book too (unfortunetely Apple prefers only IPsec over tcp) Thanks Andrew
... View more
Hello Ajay, I upgrade the router to the version 12.4(9) and now i can use the command "crypto ctcp port 10000". Do you have any documentation how to enable ipsec over tcp? Thanks Andrew
... View more
Hello, I am attaching an image with the network diagram and the config : Core Switch ---------------- ! ip route 0.0.0.0/0 172.16.0.1 ip route 172.16.1.0/24 172.16.0.1 ! Cisco router ------------------------ version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco_Test_Router ! boot-start-marker boot system flash:c2600-adventerprisek9-mz.124.2.T.bin boot-end-marker ! enable password ! ! resource policy ! aaa new-model ! ! aaa authentication login default local aaa authentication login userauth local aaa authorization network groupauth local ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero ! ! no ip dhcp use vrf connected ! ! ip cef no ip domain lookup no ip ips deny-action ips-interface ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username password username password ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group Squaregroup key square123 dns 8.8.8.8 domain google.com pool VPNCLIENTS acl 100 netmask 255.255.255.0 ! ! crypto ipsec transform-set mytrans esp-3des esp-sha-hmac ! crypto dynamic-map mymap 10 set transform-set mytrans reverse-route ! ! ! crypto map mymap client authentication list userauth crypto map mymap isakmp authorization list groupauth crypto map mymap client configuration address respond crypto map mymap 10 ipsec-isakmp dynamic mymap ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 no ip address shutdown no fair-queue ! interface Serial0/1 no ip address shutdown ! interface Ethernet1/0 description Connection to the outside world ip address 83.xxx.xxx.xxx xxx.xxx.xxx.xxx ip nat outside ip virtual-reassembly full-duplex crypto map mymap ! interface Ethernet1/1 description Connection to the inside network ip address 172.16.0.1 255.255.255.0 ip nat inside ip virtual-reassembly full-duplex ! interface Ethernet1/2 no ip address shutdown half-duplex ! interface Ethernet1/3 no ip address shutdown half-duplex ! ip local pool VPNCLIENTS 172.16.1.3 172.16.1.20 ip classless ip route profile ip route 0.0.0.0 0.0.0.0 83.xxx.xxx.xxx ip route 172.16.1.0 255.255.255.0 Ethernet1/0 ip route 192.168.1.0 255.255.255.0 172.16.0.2 ip route 192.168.2.0 255.255.255.0 172.16.0.2 ip route 192.168.3.0 255.255.255.0 172.16.0.2 ip route 192.168.4.0 255.255.255.0 172.16.0.2 ip route 192.168.5.0 255.255.255.0 172.16.0.2 ip route 192.168.6.0 255.255.255.0 172.16.0.2 ip route 192.168.7.0 255.255.255.0 172.16.0.2 ip route 192.168.8.0 255.255.255.0 172.16.0.2 ip route 192.168.9.0 255.255.255.0 172.16.0.2 ip route 192.168.10.0 255.255.255.0 172.16.0.2 ip route 192.168.11.0 255.255.255.0 172.16.0.2 ip route 192.168.12.0 255.255.255.0 172.16.0.2 ip route 192.168.13.0 255.255.255.0 172.16.0.2 ip route 192.168.14.0 255.255.255.0 172.16.0.2 ip route 192.168.15.0 255.255.255.0 172.16.0.2 ip route 192.168.16.0 255.255.255.0 172.16.0.2 ip route 192.168.17.0 255.255.255.0 172.16.0.2 ip route 192.168.18.0 255.255.255.0 172.16.0.2 ip route 192.168.19.0 255.255.255.0 172.16.0.2 ! ! no ip http server no ip http secure-server ip nat inside source route-map NoNat interface Ethernet1/0 overload ! access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 110 permit ip any any ! route-map NoNat permit 10 match ip address 110 ! ! ! control-plane ! ! ! ! ! ! ! ! I can ping the router (both interfaces) and the core switch (vlan 6) but i can't ping vlan 1 and the mac server can't ping my client. If i go hop by hop, for example if i telnet to the core swtich then i can ssh to the mac server but i can't do it directly from the client. Thanks in advance Andrew
... View more
Hello Mohammad, Reverse route is enabled , shall i add the command match address ? from the routing table i can see the static routes which the router is creating. do you have a sample configuration for remote access vpn with vlans? Thanks Andrew
... View more
Hello Mohammad and happy new year, I' ve check the packets from client to webserver and i can reach up to the core switch. From the router i can't ping the VPN client but from the core switch i can. Cisco_Test_Router> Cisco_Test_Router>en Password: Cisco_Test_Router# Cisco_Test_Router# Cisco_Test_Router#ping Protocol [ip]: Target IP address: 172.16.1.14 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.14, timeout is 2 seconds: Packet sent with a source address of 172.16.0.1 ..... Success rate is 0 percent (0/5) If i check the access lists the match is on the extended and not the list 100 which is the intersting traffic. % Unknown command or computer name, or unable to find computer address Cisco_Test_Router#show access-li Cisco_Test_Router#show access-lists Extended IP access list 100 10 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 20 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 30 permit icmp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 40 permit icmp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Extended IP access list VPNNAT 10 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 (7012 matches) 20 permit ip any any (18686 matches) Cisco_Test_Router# I have a default route S* 0.0.0.0/0 [1/0] via 83.244.220.225 which pointing the ISP gateway and also a static route S 172.16.1.0/24 is directly connected, Ethernet1/0 for the VPN subnet. Do you think there is a conflict? I can't understand why the core switch can't reach the vpnclient if there is a default route at the core switch pointing the router and then the router have static pointing the ethernet1/0 Thanks Andrew
... View more