Hello Harish,

I want my remote VPN users to access 192.168.2.x network via the easy vpn gateway.

Dlink router

-------------

Add a route for your VPN pool network ( the subnet which users get after connecting to VPN) towards easy vpn server point to point link

Can you please elaborate this?

Regards,

Tony

Hello Tony,

where is your 192.168.2.x network located ? I assumed that its behind Dlink router, that is the reason I have mentioned to add reverse route for  VPN pool network in Dlink router towards easy VPN server ( using the IP of the point to point link as the gateway)  for the return traffic from 192.168.2.x  back to your VPN user

Let me know if it is still not clear

regards

Harish.

Hello Harish,

Yes it is  behind DLink router. If you don't mind can you please explain in detail. The vpn pool contains 10.0.0.x. What exactly I have to configure in Dlink and vpn server?

Regards,

Tony

Hello Tony

I am happy to provide you the configuration. Could you please give me your existing configuration of vpn server and the IP and the subnet on the link connected between vpn server and DLink router

regards

Harish

Hello Harish,

Please see the configuration.

hostname xxxx
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging console critical
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN-USER-XAUTH local
aaa authorization exec default local
aaa authorization network VPN-GROUP local
!
!
!
!
!
aaa session-id common
!
clock timezone
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip name-server X.X.X.X
ip name-server X.X.X.X

!
multilink bundle-name authenticated

crypto pki token default removal timeout 0
!
!
!
crypto pki certificate chain TP-self-signed-2049522683
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303439 35323236 3833301E 170D3132 30363232 30363332
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30343935
2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10
EC2C4377 7A2F4413 C8A8718B 2CD720
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn FGL161420SA
license boot module c1900 technology-package datak9
!
!
username XXXXX privilege 15 password 7
username XXXXX privilege 15 password 7
username XXXXX password 7 XXXXXXX
username XXXXX password 7 XXXXXXX
username XXXXX password 7 XXXXXXX

!
!
!
!
ip tcp synwait-time 10
!
class-map type inspect http match-any HTTP-PORT-MISUSE
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
match request port-misuse tunneling
class-map type inspect match-all ICMP
match access-group name INTERNET-ACL-IT
match protocol icmp
class-map type inspect match-all SMTP
match access-group name INTERNET-ACL-IT
class-map type inspect match-all UDP
match access-group name INTERNET-ACL-IT
match protocol udp
class-map type inspect match-all HTTPs-ACCESS
match access-group name INTERNET-ACL-IT
match protocol https
class-map type inspect match-all TCP
match access-group name INTERNET-ACL-IT
match protocol tcp
class-map type inspect match-any icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all DNS
match access-group name INTERNET-ACL-IT
match protocol dns
class-map type inspect match-any VPN-ACCESS
match access-group 121
match access-group 122
class-map type inspect match-all invalid-src
match access-group 100
class-map type inspect match-all icmp-access
match class-map icmp
class-map type inspect match-all POP3
match access-group name INTERNET-ACL-IT
match protocol pop3
!
!
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect icmp-access
inspect
class class-default
pass
policy-map type inspect IN-TO-OUT-POLICY
class type inspect HTTP-ACCESS
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect HTTPs-ACCESS
inspect
class type inspect UDP
inspect
class type inspect TCP
inspect
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect POP3
inspect
class type inspect ICMP
inspect
class class-default
drop log
policy-map type inspect OUT-TO-IN-POLICY
class type inspect VPN-ACCESS
pass log
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup1

key 6 XXXXXXXXX
dns 172.17.0.50
pool VPN-POOL-1
max-users 20
netmask 255.0.0.0
!
crypto isakmp client configuration group vpngroup2
key 6 XXXXXXXXX
dns 172.17.0.48
pool VPN-POOL-2
acl VPNP
max-users 20
netmask 255.255.255.0
crypto isakmp profile VPN-IKE-PROFILE
match identity group XXXXX
match identity group XXXXXXXX
client authentication list VPN-USER-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-PROFILE-1
set transform-set TRANSFORM-SET
set isakmp-profile VPN-IKE-PROFILE
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE
ip address 172.17.0.71 255.255.0.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE
ip address X.X.X.X 255.X.X.X
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security INSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-PROFILE-1
!
ip local pool VPN-POOL-1 10.0.0.1 10.0.0.30
ip local pool VPN-POOL-2 192.168.25.1 192.168.25.30
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 X.X.X.X.
ip route 192.168.1.0 255.255.255.0 172.17.0.6
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
ip access-list extended VPNP
permit ip host 172.17.0.40 any
permit ip host 172.17.0.41 any
permit ip host 172.17.0.42 any
ip access-list extended INTERNET-ACL-IT
permit ip host 172.17.0.81 any
permit ip host 172.17.0.82 any
permit ip host 172.17.0.83 any
permit ip host 172.17.0.84 any
permit ip host 172.17.0.111 any
!
logging 172.17.0.59
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip X.X.X.X X,X.X.X any
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 120 deny ip 172.17.0.0 0.0.255.255 192.0.0.0 0.255.255.255
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 122 permit ip 192.168.25.0 0.0.0.255 172.17.0.0 0.0.255.255
!
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output none
stopbits 1
line vty 0 4
privilege level 15
transport input rlogin ssh
!
scheduler allocate 20000 1000
end

Also see the actual network diagram with all  IP details. We do have one more router (Cisco) in between VPN server and Dlink router. The connection is PtoP lease line.

Regards,

Tony

Hello Harish,

Thank you for your reply. I will try this configuration and let you know the outcome.

Regards,

Tony

Hello Harish,

The configuration worked out perfectly. Again, thank you so much for your help and support .

Regards,

Tony

Excellent Tony!.

Happy to hear that.

Regards

Harish