12-05-2013 05:57 AM - edited 02-21-2020 07:22 PM
Hi Guys,
This VPN is driving me crazy!!! it connects but I can't access any of the resources behind the router, and I can't ping. What I am doing wrong? Any idea? it sounds like a routing/ACL issue but...
Any help appreciated! And thanks a lot!!!
[…]
!
hostname R1
!
[…]
enable secret […]
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network VPN local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool DHCP-1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool DHCP-2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4
!
[…]
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint […]
!
!
crypto pki certificate chain […]
!
!
username […]
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key […]
dns 8.8.8.8
pool VPNRAPOOL
acl VPN_SPLIT
!
!
crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set T1
reverse-route
!
!
crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 1.1.1.1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
!
interface GigabitEthernet0/1
description 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
[…]
!
ip local pool VPNRAPOOL 14.0.1.100 14.0.1.200
no ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool POOL-TSG 1.1.1.2 1.1.1.2 netmask 255.255.255.240
ip nat pool POOL-Phones 1.1.1.3 1.1.1.3 netmask 255.255.255.240
[…]
ip nat inside source list 2 pool POOL-2 overload
ip nat inside source list 1 pool POOL-1 overload
[…]
ip nat inside source static udp 192.168.1.243 500 1.1.1.2 500 extendable
[…]
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended VPN_SPLIT
permit ip 192.168.0.0 0.0.255.255 14.0.1.0 0.0.0.255
!
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
[…]
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password […]
transport input ssh
!
scheduler allocate 20000 1000
end
12-05-2013 06:48 AM
Hi,
I dont see a NAT0 configuration for the VPN Pool to LAN traffic. Just Dynamic PAT for 2 different LAN networks.
- Jouni
12-05-2013 02:00 PM
Thanks Jouni,
how NAT0 on a IOS router?
Luca
12-05-2013 02:32 PM
Hi,
Heres a nice document about it
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html
Here are some Cisco documents
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml
- Jouni
12-07-2013 09:32 AM
Thanks for this very helpful resources...
I added some lines on the router.
access-list 110 deny ip 192.168.0.0 0.0.255.255 14.0.1.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
ip nat inside source list 110 interface GigabitEthernet0/0 overload
Still no access to the LAN and no ping responses.
on the Cisco VPN Client I can see there is traffic, enc and dec packects as increasing normally.
Any idea?
Also, this keep poping up on the logs:
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST)
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide