Remote access VPN on IOS - Page 2

Rodrigo Fialho · ‎02-02-2017

Hello Brothers.

I've configured a remote access VPN on IOS but I don't got access to my servers at RDP port 3389.

I'm able to ping my servers!!!

Configuration from router.

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group VPN_USERS_GROUP
key 6 ##########
dns 192.168.0.16
wins 192.168.0.16
domain mix.local
pool VPN_ADDRESS
acl VPN
max-logins 1
banner ^C*** ATENCAO ***
ACESSO RESTRITO A PESSOAS AUTORIZADAS
crypto ipsec transform-set REMOTE_ACCESS_SET esp-aes esp-sha-hmac
mode tunnel
crypto dynamic-map REMOTE_ACCESS_DYNMAP 65535
set transform-set REMOTE_ACCESS_SET
reverse-route
crypto map REMOTE_ACCESS_MAP client authentication list LOCAL_USERS
crypto map REMOTE_ACCESS_MAP isakmp authorization list VPN_USERS
crypto map REMOTE_ACCESS_MAP client configuration address respond
crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
crypto map REMOTE_ACCESS_MAP

Francesco Molino · ‎02-06-2017

Hi

You want to have access to your servers through RDP (port 3389) and the nat statement you'rw showing up is for SSH (tcp 22).

This nat is for accessing your servers from outside and you're connected over VPN to access TCP 3389.

I don't see any relation between these 2 statements.

Maybe with a full view of the config it would helps because I never saw your ssh nat on all output you paste.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rodrigo Fialho · ‎02-06-2017

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname APPLE

!

boot-start-marker

boot-end-marker

!

!

logging count

logging monitor informational

enable secret ###########################.

!

aaa new-model

!

!

aaa authentication login LOCAL_USERS local

aaa authorization network VPN_USERS local

!

!

!

!

!

aaa session-id common

wan mode dsl

clock timezone UTC -3 0

clock summer-time Brazilian_daylight_savings recurring 3 Sun Oct 0:00 3 Sun Feb 0:00

!

!

!

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.100

!

ip dhcp pool 192.168.0.0/30

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.0.16

domain-name contoso.local

netbios-name-server 192.168.0.16

netbios-node-type h-node

!

!

!

ip domain name contoso.local

ip name-server 192.168.0.16

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

!

username ################ password ########################

!

!

controller VDSL 0

!

ip ssh source-interface Vlan1

ip ssh logging events

ip ssh version 2

!

crypto logging session

crypto logging ezvpn

!

!

!

!

crypto isakmp policy 10000

encr aes

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group REMOTE_ACCESS_GROUP

key ###########

dns 192.168.0.16

wins 192.168.0.16

domain contoso.local

pool VPN_ADDRESS

acl VPN

max-logins 1

!

crypto ipsec security-association idle-time 300

!

crypto ipsec transform-set REMOTE_ACCESS_SET esp-aes esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map REMOTE_ACCESS_DYNMAP 65535

set transform-set REMOTE_ACCESS_SET

reverse-route

!

!

crypto map REMOTE_ACCESS_MAP client authentication list LOCAL_USERS

crypto map REMOTE_ACCESS_MAP isakmp authorization list VPN_USERS

crypto map REMOTE_ACCESS_MAP client configuration address respond

crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

encapsulation aal5snap

pppoe-client dial-pool-number 1

!

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

no ip address

shutdown

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname #############

ppp chap password #############

ppp pap sent-username ######### password ############

ppp ipcp dns request

ppp ipcp route default

no cdp enable

crypto map REMOTE_ACCESS_MAP

!

ip local pool VPN_ADDRESS 192.168.255.250 192.168.255.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat source static tcp 192.168.0.6 5500 interface Dialer0 5500

ip nat source static tcp 192.168.0.7 5501 interface Dialer0 5501

ip nat source static tcp 192.168.0.8 5502 interface Dialer0 5502

ip nat source static tcp 192.168.0.9 5503 interface Dialer0 5503

ip nat source static tcp 192.168.0.10 5504 interface Dialer0 5504

ip nat source static tcp 192.168.0.20 5505 interface Dialer0 5505

ip nat source static tcp 192.168.0.32 5506 interface Dialer0 5506

ip nat source static tcp 192.168.0.10 8080 interface Dialer0 8080

ip nat source static tcp 192.168.0.11 3389 interface Dialer0 3390

ip nat source static tcp 192.168.0.10 1433 interface Dialer0 1433

ip nat source static udp 192.168.0.10 1433 interface Dialer0 1433

ip nat source static tcp 192.168.0.30 34599 interface Dialer0 34599

ip nat source static udp 192.168.0.30 34599 interface Dialer0 34599

ip nat source static udp 192.168.0.30 34567 interface Dialer0 34567

ip nat source static tcp 192.168.0.30 34567 interface Dialer0 34567

ip nat source static tcp 192.168.0.12 3389 interface Dialer0 3393

ip nat source static tcp 192.168.0.45 5800 interface Dialer0 5800

ip nat source static udp 192.168.0.45 5800 interface Dialer0 5800

ip nat source static udp 192.168.0.45 7777 interface Dialer0 7777

ip nat source static tcp 192.168.0.45 7777 interface Dialer0 7777

ip nat source static tcp 192.168.0.45 80 interface Dialer0 80

ip nat source static tcp 192.168.0.10 3050 interface Dialer0 3050

ip nat source static udp 192.168.0.10 3050 interface Dialer0 3050

ip nat source static tcp 192.168.0.10 3080 interface Dialer0 3080

ip nat source static udp 192.168.0.10 3080 interface Dialer0 3080

ip nat source static tcp 192.168.0.10 5001 interface Dialer0 5001

ip nat source static udp 192.168.0.10 5001 interface Dialer0 5001

ip nat source static tcp 192.168.0.10 4004 interface Dialer0 4004

ip nat source static udp 192.168.0.10 4004 interface Dialer0 4004

ip nat source static tcp 192.168.0.31 56551 interface Dialer0 56551

ip nat source static udp 192.168.0.31 56551 interface Dialer0 56551

ip nat source static tcp 192.168.0.15 3389 interface Dialer0 3391

ip nat inside source list PAT interface Dialer0 overload

ip nat inside source static tcp 192.168.0.14 3389 interface Dialer0 3392

ip nat inside source static tcp 192.168.0.10 3389 interface Dialer0 3389

!

ip access-list standard SSH

permit 192.168.255.0 0.0.0.255 log

permit 192.168.0.0 0.0.0.255 log

deny any log

!

ip access-list extended PAT

deny ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255

permit ip any any

ip access-list extended VPN

permit ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255

!

dialer-list 1 protocol ip permit

!

!

!

!

!

line con 0

logging synchronous

login authentication LOCAL_USERS

no modem enable

transport output ssh

line aux 0

line vty 0 4

access-class SSH in

logging synchronous

login authentication LOCAL_USERS

transport input ssh

transport output ssh

!

scheduler allocate 60000 1000

!

end