09-28-2011 06:29 PM
Hello everyone,
I'm configuring Cisco Easy VPN on Cisco Router 2821 - C2800NM-ADVENTERPRISEK9_IVS-M, Version 12.4(9)T7.
If I apply crypto map to fast ethernet interface and connect VPN Client from LAN, everything is ok. If I apply crypto map to Dialer0 interface (connect to internet), I can not connect from Internet. The Dialer0 is also being overload NAT for internal users to connect to Internet.
So do I have to add any more command to allow IPSec VPN on this interface? Thank you very much.
Here is my configuration:
aaa new-model
!
aaa authentication login sbd-authen local
aaa authorization network sbd-author local
!
username hiepnh password 7 013057175804575D72181B
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sbdvpn
key sbdezvpn
dns 172.28.40.2
wins 172.28.40.2
pool vpn_pool_2
acl 111
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list sbd-authen
crypto map vpn_cmap_1 isakmp authorization list sbd-author
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
description ** Connect to User VLAN **
encapsulation dot1Q 10
ip address 172.28.40.254 255.255.255.0
ip nat inside
ip virtual-reassembly
standby 2 ip 172.28.40.1
standby 2 priority 150
standby 2 preempt
!
!
interface Dialer0
description ****** Interface OUTSIDE - INTERNET ADSL ******
mtu 1492
bandwidth 8192
ip address negotiated
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username Hnfdl-081022-096 password 7 03025F5B575F781A
crypto map vpn_cmap_1
!
ip local pool vpn_pool_2 172.28.49.2 172.28.49.50
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat translation timeout 1800
ip nat translation max-entries all-host 200
ip nat inside source list INTERNET_ACCESS interface Dialer0 overload
ip nat inside source static tcp 172.28.40.233 23 interface Dialer0 65000
ip nat inside source static tcp 172.28.40.2 1723 interface Dialer0 1723
ip nat inside source static tcp 172.28.40.15 80 interface Dialer0 80
ip nat inside source static tcp 172.28.40.15 25 interface Dialer0 25
ip nat inside source static tcp 172.28.40.15 110 interface Dialer0 110
ip nat inside source static tcp 172.28.40.15 143 interface Dialer0 143
ip nat inside source static tcp 172.28.40.15 443 interface Dialer0 443
ip nat inside source static tcp 172.28.40.2 3389 interface Dialer0 4000
ip nat inside source static tcp 172.28.40.236 37349 interface Dialer0 37349
ip nat inside source static udp 172.28.40.236 37349 interface Dialer0 37349
!
access-list 111 permit ip 172.28.40.0 0.0.0.255 any
access-list 111 permit ip 172.28.44.0 0.0.0.255 any
access-list 111 permit ip 172.28.80.0 0.0.0.255 any
access-list 111 permit ip 172.28.82.0 0.0.0.255 any
!
Thank you very much.
Regards,
Hiep Nguyen
09-30-2011 08:48 AM
Hiep,
When you try to establish the session what do you see in:
show crypto isa sa
and
debug cry isa
debug crypto ipsec
If no outputs it means that most likely IKE packets never make it to the box.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide