Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
4
Helpful
2
Replies

IPSec VPN Client issue

grandezherz
Level 1
Level 1

‎05-18-2004 03:55 PM - edited ‎02-21-2020 01:09 PM

I have a 1721 router in my Branch Office's LAN with the Cisco Easy VPN server feature allowing Remote VPN Clients to be

connected through IPSEC 3DES tunnels.

The 1721 router, as well as the rest of the LAN PCs, is connected, by means of a Cisco 2610 non-managed router, to a

private Frame Relay cloud, where different PVCs have been configured. One of those PVCs goes to the HQ office. Another

one goes to the Internet.

The problem is that when Remote clients establish the tunnel I cannot manage them to access any resource, either local

(connected to the LAN:208.92.105.160/27) or remote (i.e. HQ office) as the traffic needs to go unencrypted out the same

interface it came from (encrypted), that is Fastethernet0 interface on the 1721.

Could someone propose a solution to this, that may not imply modifying the current configuration on the 2610 router?

Thanks.

Below the current configuration:

1720#sh run

Building configuration...

Current configuration : 3092 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1720

!

logging buffered 65536 debugging

logging monitor notifications

aaa new-model

!

!

aaa authentication attempts login 2

aaa authentication login AUTH-IN local

aaa authorization network MYVPN local

aaa session-id common

enable secret xxxxx

!

username user1 password xxxx

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

!

!

no ip domain-lookup

ip domain-name 1720

!

no ip bootp server

ip inspect audit-trail

ip inspect udp idle-time 210

ip inspect tcp idle-time 420

ip inspect tcp synwait-time 12

ip inspect tcp max-incomplete host 200 block-time 0

ip inspect name SECURE http

ip inspect name SECURE ftp

ip inspect name SECURE tcp

ip inspect name SECURE udp

ip inspect name SECURE smtp

ip inspect name SECURE h323

ip audit notify log

ip audit po max-events 100

ip ssh authentication-retries 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto isakmp client configuration address-pool local POOL

!

crypto isakmp client configuration group MYVPN

key cisco123

dns 197.148.143.242 192.207.125.2

domain mydomain.com

pool POOL

!

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto dynamic-map DYNAM 10

set transform-set MYSET

reverse-route

! DO I NEED TO ADD ASSOCIATE AN EXTENDED ACCESS-LIST TO PREVENT SOME TRAFFIC TO BE ENCRYPTED

match address <Extended-ACL>

!

crypto map MYMAP isakmp authorization list MYVPN

crypto map MYMAP client configuration address initiate

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic DYNAM

!

!

interface Loopback30

ip address 30.1.1.3 255.255.255.255

!

interface FastEthernet0

ip address 208.x.x.x.x.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect SECURE in

ip inspect SECURE out

speed auto

no cdp enable

crypto map MYMAP

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

ip local pool POOL 10.0.2.1 10.0.2.2

ip classless

ip route 0.0.0.0 0.0.0.0 Fastethernet0

no ip http server

ip pim bidir-enable

!

!

! EXTENDED-ACL HERE?

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 240 0

password xxxx

login authentication AUTH-IN

transport input telnet ssh

!

no scheduler allocate

end

Labels:
Preview file
4 KB
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎05-18-2004 05:15 PM

This should work. Make sure all the hosts on the 208.92.105.160/27 subnet and the HQ Office have a static route to the VPN pool of addresses (10.0.2.0/30) that points to 208.92.205.189 interface on the router. I presume that at the moment they have a default route pointing to the 2610, so alternatively you could add the static route on that and it'll forward everything onto the 1721 (remove "no ip redirect" from the 2610 interface if you have it).

If that still fails then try removing the "ip inspect" stuff off the interface temporarily and saee if that makes a difference, it may be blocking the traffic.

grandezherz
Level 1
Level 1
In response to gfullage

‎05-21-2004 10:12 AM

Thank you very much for your support!

For the VPN client traffic to be routed to the Intranet/Internet and to avoid having to request permissions to modify routers all over the network, I had to get rid of the 10.0.2.0/24 pool. Instead, I had to assign LAN IP public addresses, as shown in the following line on the 1720 router:

1720(config)#ip local pool POOL 208.92.205.184 208.92.205.185

And modify (there was no other choice) the 2610 router adding a static route:

2610(config)#ip route 208.92.205.184 255.255.255.254 208.92.205.189

Now, is there any way in which I could specify a subnetted IP LOCAL POOL, since this command normally assigns the default mask (classfull)?

i.e. with the "ip local pool POOL 208.92.205.184 208.92.205.185" command, clients are assigned the default mask for class C network (255.255.255.0) instead of the one the LAN actually has (255.255.255.224)

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents