cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4397
Views
20
Helpful
20
Replies

VPN - Network extension mode

CSCO11638397
Level 1
Level 1

Hi,

I need to change the access method for remote locations as network extension mode; currently the remote location users are accessing HO using the cisco vpn client software.

The server configuration and network extension mode config are below

Issues with

1. Loopback interface - When I create the loop back interface in HO, the remote location users cannot access HO. If I remove the loopback then I can ping 192.168.0.1 source 10.100.100.11.

2. I need to create both way access, and forward the interesting traffic, in that case how to configure the routing? I did static route as below on both side

Head office router

ip route 172.16.0.0 255.255.255.0 10.100.100.11 ••à To forward local traffic to Remote location

Remote

ip route 192.168.0.0 255.255.255.0 10.100.100.1 ••à To forward local traffic to Head office

3 the saved-password option is not working,?

Please suggest if I can accomplish this task in any other methods or point out the issue on my configurations. Thanks

Server - Router Configuration

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

aaa session-id common

ip cef

!

Username cisco password cisco1234

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group new-location

key cisco123

pool remote-pool

acl 151

save-password

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

interface FastEthernet0/0

ip address xx.yy.xy.yx 255.255.255.248 – ISP Provided public IP

ip access-group 143 in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

Interface Loopback 0

ip address 10.100.100.1 255.255.255.0

!

!

ip local pool remote-pool 10.100.100.10 100.100.100.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.yy.xy.xy – ISP public IP

ip route 172.16.0.0 255.255.255.0 10.100.100.11   ------   To forward local traffic to Remote location

!

!

ip http server

ip http secure-server

ip nat inside source list 111 interface FastEthernet0/0 overload

!

access-list 151 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 permit ip any any

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password 0 cisco

!

!

End

Client - Router Configuration

!

ip cef

!

!

!

Username cisco password cisco1234

!

crypto ipsec client ezvpn ez

connect auto

group new-location key cisco123

mode network-extension

peer xx.yy.xy.yx – head office ISP Provided IP

username cisco password cisco1234

xauth userid mode interactive

!

interface Loopback0

ip address 10.100.100.11 255.255.255.0

crypto ipsec client ezvpn ez inside

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

!

!

interface Vlan1

ip address 172.16.0.1 255.255.255.0

!

interface vlan2

ip address 192.168.1.2 255.255.255.0

crypto ipsec client ezvpn ez

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.0.0 255.255.255.0 10.100.100.1  ----  To forward local traffic to Head office

!

!

no ip http server

no ip http secure-server

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!End

20 Replies 20

Jennifer Halim
Cisco Employee
Cisco Employee

You should remove the static route that you have configured additionally on both end as you do not require those.

Further to that, your NAT access-list should also deny traffic between 192.168.0.0/24 to 192.168.1.0/24.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

Hope that helps.

Hi Jennifer,

thanks for the prompt relpy.

I have removed both static routes, still the same. save-password option is notworking, cannot ping from head office to remote location, ...

The very first connection to bring up the vpn tunnel needs to be initiated from remote end towards HQ because it is easy vpn configuration. Once you have brought up the tunnel, then you can send traffic from HQ to remote end.

If you want to be able to initiate tunnel from the HQ end, then you should configure site-to-site VPN tunnel, not easy vpn tunnel.

Hi Jennifer,

Thank for info,

Please explain me how can I configure (remote office vpn) router where all the PCs are connected to interface 172.16.0.1 which all RO PCs are connected, to access HO network? and the save-password option is not working any idea why?

If all PCs are connected to interface 172.16.0.1, pls move the "crypto ipsec client ezvpn ez inside" command from loopback0 to vlan1.

For the "save-password" issue, what version of IOS code are you running? and also can you run debugs to see why it's failing.

debug cry isa

debug cry ipec

Hi Jannifer,

the save-password option is working. thanks. Sill easy VPN is fail to ping both side. it's connecting but cannot ping both side. please kindly looking to the configuration, still its working for VPN software on the PCs on another location.

server config


!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
clock timezone UTC 3
ip cef
!
!

!
multilink bundle-name authenticated
!
username user password 7 01100F175804

archive
log config
  hidekeys
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.yy 255.255.255.248
ip access-group 143 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
i
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx

!
!
ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny   ip host 192.168.0.16 any
access-list 111 deny   ip host 192.168.0.16 any log
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 permit ip any any
access-list 143 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4

Client config

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.yy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-VPN inside
!
interface Vlan2
ip address 192.168.1.199 255.255.255.0
ip nat outside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 120 interface Vlan2 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 120 deny   ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip any any
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
end

On the server, pls add the following:

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255

ip access-list extended 111

   5 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255

Then: clear ip nat trans *

Hi,

Even after adding the above mention ACLs it's not working. do I have to add any other configurations? Please advise...

As you advised earlier, the vpn tunnel is UP, right?

Can you pls share the output of:

show cry isa sa

show cry ipsec sa

Hi Mohamed,

On the server:

ip access-list extended 111

1 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255 ---> Jennifer already suggested this change. 

On the client:

ip access-list extended 120

50 permit ip 172.16.1.0 0.0.0.255 any

no permit ip any any

Please keep us posted.

Portu.

HTH.

Hi,

After removing the ADSL router and configuring it from remote-router atm interface and editing the ACL on VPN-Server as to allow new network I can access from remote location to HO , now the internet is not working for remote location users. as Javier mention I have edited the acl on remoter-router but no good. if I remove the crypto from dialer 0 its working fine. pls share your advise.

Router#show run
Building configuration...

Current configuration : 2243 bytes
!
! Last configuration change at 08:34:12 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 6Uhgk1ATmwo4j3eoSZScCqsB/Q1llvengtFuqfN8mh6
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server m
ip name-server m
no ipv6 cef
!
!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.xy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.200.192.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-OFFICE-VPN inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyy
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 120 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 deny   ip 10.200.192.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 10.200.192.0 0.0.0.255 any

Can you pls share the current configuration of the VPN server.

Would like to check if the split tunnel ACL has included the new subnet too.

Hi Jennifer,

Internet is getting down when I applied the crypto on remote location, not in the HO,

HO Router config


!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xy 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx
!

ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny   ip host 192.168.0.16 any
access-list 111 deny   ip host 192.168.0.16 any log
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 deny   ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 111 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 133 deny   ip host 192.168.0.16 10.10.10.0 0.0.0.255
!

The config looks OK to me.

Can you ping 4.2.2.2 from the branch/remote PC when the VPN is connected?

Can you pls share the output of:

show cry isa sa

show cry ipsec sa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: