12-17-2012 06:56 PM
Hi Guys,
hope some on can help me, I will give a run down on the config.
I have a edge router which is a 2851 connected to the 2851 is a cisco 3750 switch running inter-vlan routing with four vlans.
I have setup Easy VPN server on the 2851 edge router I am able to connect remotely from a cisco vpn client with out a problem but I cant access the local network on the server side, I have tried everything with no luck.
I has cisco VPN client installed on a windows 7 64-bit system and I also tried it with windows xp 32-bit system and still no luck.
Please i need help as I need to get this running by end of business today.
I will copy and paste the edge router config please if some one get review and see if the config is right.
Solved! Go to Solution.
12-17-2012 09:25 PM
You would need to change your PAT ACL from standard to extended and deny traffic from being NATed towards the VPN Pool:
access-list 120 deny ip 10.10.10.0 0.0.0.3 10.10.50.0 0.0.0.255
access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 172.16.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 172.1X.20.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.3 any
access-list 120 permit ip 192.168.XX.0 0.0.0.255 any
access-list 120 permit ip 172.16.XX.0 0.0.0.255 aniy
access-list 120 permit ip 172.1X.20.0 0.0.0.255 any
access-list 120 permit ip 192.168.XX.0 0.0.0.255 any
ip nat inside source list 120 interface Dialer0 overload
no ip nat inside source list 1 interface Dialer0 overload
clear ip nat trans *
Hope that helps.
12-17-2012 09:25 PM
You would need to change your PAT ACL from standard to extended and deny traffic from being NATed towards the VPN Pool:
access-list 120 deny ip 10.10.10.0 0.0.0.3 10.10.50.0 0.0.0.255
access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 172.16.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 172.1X.20.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.3 any
access-list 120 permit ip 192.168.XX.0 0.0.0.255 any
access-list 120 permit ip 172.16.XX.0 0.0.0.255 aniy
access-list 120 permit ip 172.1X.20.0 0.0.0.255 any
access-list 120 permit ip 192.168.XX.0 0.0.0.255 any
ip nat inside source list 120 interface Dialer0 overload
no ip nat inside source list 1 interface Dialer0 overload
clear ip nat trans *
Hope that helps.
12-17-2012 10:44 PM
Hi Jennifer,
Thanks for the reply, I did what you suggested but still get not access local network,
when the vpn client connects I go into the statistics and then go into show route and it shows nothing in the local routes and in the secured routes in shows 0.0.0.0. 0.0.0.0.
I can even ping the edge router from the vpn client when its connected, I even tried to ping the loopback 0 ip which is 10.10.50.1 and still no go.
can you think of any thing else it could be, I have been on this for 3 days now and still cant get it to work.
thanks,
12-18-2012 11:28 PM
Can you ping 10.10.10.1 and 10.10.10.2?
Also, the 10.10.10.2 router, what is the default route? is it 10.10.10.1? if not, does it have route for the vpn pool subnet (10.10.50.0/24) towards 10.10.10.1?
12-19-2012 05:51 PM
HI Jennisfer,
10.10.10.2 is the 3750 switch, when I connect with the vpn client i cant ping 10.10.50.1 or 10.10.10.1 or 10.10.10.2.
it is very strange all connects ok but I cant ping anything, the only ping I can do is the external ip address which is the ip address that I use to connect to the router.
I have been all weeks trying to get it working and had not luck what so ever, I'm just about to give up on it.
when I try to add a route from 10.10.50.0/24 to 10.10.10.1 it give me an error %Invalid next hop address (it's this router).
I should to the very least be able to ping 10.10.10.1 or 10.10.50.1 but I can even ping these two addresss.
also 10.10.50.1 is a loopback address of 10.10.10.1
thanks,
12-19-2012 05:55 PM
Hi Anuj,
I will get the details and post it soon.
thanks,
12-18-2012 10:40 AM
Can you connect VPN client once and provide output of route print from machine.
Along with this, now run a ping from VPN client any resource available on local LAN behind router and then provide me the output of show crypto ipsec sa taken multiple times from router.
Regards,
Anuj
12-19-2012 06:55 PM
Hi jessica ,
I have check you configtration , I think there are some miss:
crypto isakmp profile vpn-ike-profile-1
match identity group SYS_VPN
client authentication list vpn_vpn_xauth_ml_1
isakmp authorization list vpn_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile VPN-ike-profile-1
1.make sue the ip local pool SDM_POOL_1 10.10.50.5 10.10.50.10 has not been used in your LAN .
2.make sure the LAN switch have the route to the vpn client's subnet 10.10.50.X
3. make sure your client has connected the vpn server , use show cry ipsec client ez , and show ip route to see if there is a route 10.10.50.X via virtual-template 1
I think the miss is the config about the isakmp-profile .
12-20-2012 02:54 AM
Thanks everyone for there help, I finally got it going turns out it wasnt a config problem.
I thought to myself I have tried evey thing possible and nothing worked then I decided to upgrade or downgrade the IOS image and VULLAAA everthing works. OH MY GOD this VPN gave me hell I wish I changed the IOS from the beginning it would have saved me alot of troubles and time.
for anyone that will have this problem in the future the router was running IOS version c2800nm-adventerprisek9-mz.151-3.T3.bin and the easy VPN would not work at all, after upgrading too IOS version c2800nm-adventerprisek9-mz.151-4.M3.bin all worked okay with out any problems.
Once again thank you all for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide