01-27-2017 02:36 AM
Hello all,
Of course a have a question, otherwise i would not be here ;)
When i have the vpn tunnel up, i can't see the office network (192.168.1.0). I only get the ip address from the vpnpool.
Below part of the config i used (or should i post the entire config?);
aaa authentication login userauthen local
aaa authorization network groupauthor local
username admin privilege 15 secret xxx
username klaas password xxx
username george password xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0
!
crypto isakmp client configuration group vpnclient
key xxx
dns 8.8.8.8
domain test.local
pool ipvpnpool
acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set MySet
reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxx password xxx
crypto map MyMap
!
ip local pool ipvpnpool 192.168.253.10 192.168.253.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 192.168.1.0 0.0.0.255 (local network)
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
Solved! Go to Solution.
01-27-2017 05:04 AM
You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Then apply it to your NAT overload statement:
no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload
PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.
01-27-2017 05:04 AM
You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Then apply it to your NAT overload statement:
no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload
PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.
01-27-2017 05:16 AM
Thanks for your answer, seems logic to me. Don't know why i overlooked that.
Will try it next week when i'm on customer location.
02-13-2017 01:40 AM
Hello Rahul,
These ajustments didn't work, i still can not ping the internal network through the vpn tunnel.
This is the config after adding the 102 access-list;
02-13-2017 03:53 AM
What is the following crypto map used for?
crypto map MyMap 1 ipsec-isakmp
set peer 178.85.x.x
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
The reason I am asking this is because it seems to have the matching ACL for the VPN pool network.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Ideally, the VPN falls under the dynamic map and gets established. But this crypto map might be matching your return traffic and causing it to fail. Can you remove the static crypto map if it not being used?
01-28-2017 05:23 AM
can you brief your query?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide