Help with Remote access VPN on Cisco router 3925 via Dialer Interface

khuatquangngoc · ‎11-13-2014

Hi Everybody,

I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link. I want config VPN Remote Access and using software Cisco VPN client. But it doesn't work.. Here my config router :

HUNRE#show running-config
Building configuration...

Current configuration : 5515 bytes
!
! No configuration change since last restart
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HUNRE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
enable password cisco
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
crypto pki trustpoint TP-self-signed-1050416327
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1050416327
revocation-check none
rsakeypair TP-self-signed-1050416327
!
!
crypto pki certificate chain TP-self-signed-1050416327
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
35A0B9FB FB76E976 3D2A19D7 006078
        quit
!
!
!
!
!
!
ip name-server 210.245.1.253
ip name-server 210.245.1.254
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
vpdn-group 2
!
!
license udi pid C3900-SPE100/K9 sn FOC1823839B
license boot module c3900 technology-package securityk9
!
!
username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN-HUNRE
key hunre
dns 8.8.8.8
domain hunre
pool IP-VPN
acl 199
max-users 100
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map DYNMAP 1
set transform-set encrypt-method-1
!
!
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FPT
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/2
description Connect to CMC
no ip address
ip mtu 1442
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
no cdp enable
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp dns request
crypto map VPN
!
interface Dialer2
description Logical ADSL Interface 2
ip address negotiated
ip mtu 1442
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1344
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp address accept
no cdp enable
!
ip local pool IP-VPN 10.252.252.2 10.252.252.245
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Dialer2 overload
ip nat inside source static 10.159.217.10 interface Dialer1
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.159.217.0 255.255.255.0 192.168.1.8
!
ip sla auto discovery
ip sla responder
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
access-list 10 permit any
access-list 11 permit any
access-list 101 permit icmp any any
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input all
line vty 5 15
password cisco
transport input all
!
scheduler allocate 20000 1000
ntp master
!
end

However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.

Hopeful for your answers !

Thanks

David Johan Castro Fernandez · ‎11-15-2014

Hello,

I see your configuration and we are missing two things:

1

- Split tunnel configuration, on your case access list 199 is incorrect, you cannot use --> permit ip any any on this, you have to specify the internal resources you want to reach from the IP local pool:

access-list 199 permit ip <Subnet_on_Router> 10.252.252.0 0.0.0.255

You can add all of the entries as you need as long as it is reachable from the router.

2

- You don't have a NAT exempt, therefore the traffic is not getting back to the VPN client:

access-list 130 deny ip <Router_Subnets> 10.252.252.0 0.0.0.255 ****** from inside to remote or ip-pool
access-list 130 permit ip any any ****** from inside or any to Internet

route-map nonat-Pat 10
match ip address 130

ip nat inside source route-map nonat-Pat interface FastEthernet0/1 overload

Then after creating that NAT, please remove this NAT statements that are incorrect:

no ip nat inside source list 10 interface Dialer1 overload

no ip nat inside source list 199 interface Dialer1 overload

Let me know how it works out,

Please don´t forget to rate and mark as correct the helpful post!

David Castro,

Regards,

khuatquangngoc · ‎11-20-2014

Hi David Castro,

Thanks for your answer,

I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE and my router receive IP from ISP. Here show ip int brief :

GigabitEthernet0/0         192.168.1.1     YES NVRAM up                    up
GigabitEthernet0/1         unassigned      YES NVRAM up                    up
GigabitEthernet0/2         unassigned      YES NVRAM up                    up
Dialer1                    210.245.54.49   YES IPCP   up                    up
Dialer2                    101.99.7.73     YES IPCP   up                    up
NVI0                       192.168.1.1     YES unset up                    up
Virtual-Access1            unassigned      YES unset up                    up
Virtual-Access2            unassigned      YES unset up                    up
Virtual-Access3            unassigned      YES unset up                    up

But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?

Thanks very much !

David Johan Castro Fernandez · ‎11-20-2014

Hello,

If you cannot ping the Dialer 1 interface from the outside, it seems that you are having issues with layer 3, make sure the ADSL connection is providing you internet access as required!

Do you have access to internet from the inside of the router?

Doing a tracert to 4.2.2.2 from an internal host is it engressing out and getting succesfully to the IP address?

When you try to connect from the outside to the VPN what error are you getting?

Are you getting a Dynamic IP address from the ISP?

Make sure to follow this steps!

Please don't forget to rate and mark as helpful the Post!

David,

Regards,

khuatquangngoc · ‎11-20-2014

Hi David,

Everything in my inside netwrok is ok. User in LAN can access Internet

My interface Dialer 1 received ip from ISP : 210.245.54.49

User from inside can ping IP interface Dialer 1 but i cannot ping from outside network

When I connect VPN using Cisco VPN client software I saw error :

" Reason 412 : The remote peer is no longer responding "

I think I cannot ping Dialer 1 so VPN not connect !

Thanks !

David Johan Castro Fernandez · ‎11-20-2014

Hi,

Thanks for clarifying those points, either ways the ICMP works on layer 3 and the connection is being made on UDP port 500, with debugs we can verify if when you are trying to connect to the VPN client the router will generate the logs, Please try to set them up:

- debug crypto isakmp

- debug crypto ipsec

If you don't receive anything on your logs, it seems that the Public IP address is not reachable from the utside on anyways! So In that case I would strongly recommend you to contact your ISP, to check what is going on!

Please don't forget to rate and mark as helpful the Post!

David Castro,

Regards,