remote access IPSEC VPN

R Manjunatha · ‎10-21-2022

HI,

I configured remote access IPsec VPN in the cisco router, and I am unable to connect the same from cisco any connect from my desktop. I can able to reach this IP address 192.168.50.192 ( this is the DHCP address of my local host)

Current configuration : 2553 bytes
!
! Last configuration change at 11:27:53 UTC Fri Oct 21 2022
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R120
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$cAUE$Gyu2iSLtO/5NaQz/rOlky.
!
aaa new-model
!
!
aaa authentication login admin local
aaa authorization network admin1 local
!
!
!
!
!
aaa session-id common
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180

ip domain name iqnetlab.com
ip host R120 192.168.50.192
ip name-server 192.168.50.192
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
password encryption aes
!
!
!
!
!
!
!
username admin password 0 aadmin
!
redundancy

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set vpnclient esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map map1 10
set transform-set vpnclient
reverse-route
!
!
crypto map map1 client authentication list admin
crypto map map1 isakmp authorization list admin1
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
!
!
interface Loopback1
ip address 172.120.10.1 255.255.255.0
!
interface Loopback2
ip address 172.120.20.1 255.255.255.0
!
interface Loopback3
ip address 172.120.30.1 255.255.255.0
!
interface Loopback4
ip address 172.120.40.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.120.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
crypto map map1
!
interface Ethernet0/2
ip address 192.168.30.2 255.255.255.0
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
!
router eigrp 100
network 10.10.120.0 0.0.0.255
network 172.120.10.0 0.0.0.255
network 172.120.20.0 0.0.0.255
network 172.120.30.0 0.0.0.255
network 172.120.40.0 0.0.0.255
network 192.168.50.0
redistribute static metric 10000 0 255 1 1500
!
ip local pool vpnpool 192.168.1.1 192.168.1.10
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet0/1 overload
ip ssh version 2
!
ipv6 ioam timestamp
!
!
access-list 1 permit 10.10.0.0 0.0.255.255

line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
!
end

R120(config)#

balaji.bandi · ‎10-21-2022

suggest to follow below guides:

https://www.youtube.com/watch?v=ZEMuECDWalc

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-21-2022

@R Manjunatha not sure I fully understand your issue, but potentially NAT looks like it could be a problem. The traffic defined in ACL list 1 (10.10.0.0/16) will be translated behind eth0/1 interface. You should modify the NAT ACL to ensure traffic between 10.10.0.0/16 and the VPN ip pool 192.168.1.0/x is not translated (with a deny in the ACL), then permit the rest of the traffic to enable outbound NAT (to the internet).

Example:

access-list 101 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.255.255 any

ip nat inside source list 101 interface Ethernet0/1 overload