Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
4
Replies

SDM & Easy VPN Server Problem

Go to solution
thomaslaus
Level 1
Level 1

‎01-31-2005 07:38 AM - edited ‎02-21-2020 01:34 PM

I am having a problem configuring an Easy VPN Server using the Cisco Security

Device Manager Version 2.0a on a 1711 Router with IOS 12.3(7)XR3.

I reset the router to Factory Defaults from the SDM opening screen.

Login to 10.10.10.1

User: cisco

Password: Cisco

Start SDM for the initial router configuration dialog.

Don't use CNS

On the basic configuration screen:

Hostname set to router

Domain: test.com

Synchronize time with local PC

Change Username

New username: superuser

password: xyzzy123

secret password: xyzzy1234

Lan Interface Configuration Screen

IP Address set to 10.1.1.1

Subnet: 255.255.255.0

Enabled DHCP Server

Start IP: 10.1.1.50

End IP: 10.1.1.70

DNS Configuration Screen

Primary: 45.45.45.45

Secondary: 45.45.45.46

Use for DHCP Clients

WAN Configuration Screen

Selected Ethernet without PPOE Encapsulation

No dynamic (DHCP Client) hostname

Advanced Option Screen

Port Address Translation Selected for VLAN1

After reading the summary, I selected FINISH. The dialog asked whether I

wanted to configure a Basic Firewall, I selected YES. I left all of the

default security elements selected. I clicked FINISH. SDM detected that the

DHCP Client is on the outside untrusted interface and asked if I wanted to

allow DHCP traffic through the firewall. I selected YES. The configuration

was delivered.

Saved the running-config to startup-config and reloaded the router.

Released and renewed my ip address and logged back into the 1711 using the new

username and password. Restarted SDM.

Started the configuration task and selected Configure an Easy VPN Server.

The opening screen had a prompt to enable AAA. I launched the selected task

after the AAA commands were delivered to the router.

I selected interface FastEthernet0 from the pulldown menu

IKE Proposals - Selected the default all

Transform Set - Selected the default all

Group Authorization / Policy Lookup - Selected Local Only

Add username: user1

Password: local1

Encrypt with MD5

Privlege: 2

Group Authorization /user Group Policies

Add group policy:tunnel

Preshared Key: sharedkey

Selected New Address Pool: 10.1.1.80 to 10.1.1.90

Test after configuring button selected.

Leaving that screen, there was a SDM warning about the NAT rules with ACLs

needing to be converted to NAT rules with Route Maps. I clicked YES to let

SDM convert the rules.

The Easy VPN Server tests successful and the client screen shows a warning

about the 'crypto ipsec df-bit clear' needing to be set. There wasn't any

way to set this within SDM and the search function had no hits.

I copied the running-config to the startup-config and tested the router from a

dialup connection using another ISP.

The results:

The SDM Monitor screen shows the client connection but the client can't ping

any host on the router LAN. No one on the LAN can ping the VPN client's Easy

VPN assigned IP address, but they can ping the client using the ISP asigned IP

address.

It appears like SDM is not correctly configuring the 1711 to route from the

VPN interface to the LAN.

I am attaching my 1711's Running Configuration that was generated by SDM.

Labels:
4747-router.cfg
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
reswaran
Cisco Employee
Cisco Employee
In response to reswaran

‎01-31-2005 08:01 AM

Hi,

I think the reason why the ping is not successful is that your LAN (connected to VLan interface) IP address and the pool of IP addresses assigned to the client are in the same network.

Can you try assigning a pool of IP addresses for VPn clients which is in different subnet (say 10.1.2.80 to 10.1.2.90) and then again try to ping??

You can edit the pool through Configure->Additional Tasks-> Local Pools.

You can then disconnect the client in Monitoring page and again connect it.

Regards,

Ravikumar

View solution in original post

0 Helpful
4 Replies 4

Go to solution
reswaran
Cisco Employee
Cisco Employee

‎01-31-2005 07:48 AM

Hi,

I looked into your configuration. Looks correct. Please can you let me know the answer for the following queries.

1. What is your VPN client?? Is it a Software VPN Client software or a hardware VPN client (i.e., a router or VPN Concentrator acting as Easy VPN Client)

2. You have said that SDM Monitor shows client connection. What is the status of the client connection??

3. If possible , when client is connected, can you send me the output of the following commands.

a. show ip route.

b. show crypto session detail

Thanks,

Ravikumar

0 Helpful

Go to solution
reswaran
Cisco Employee
Cisco Employee
In response to reswaran

‎01-31-2005 08:01 AM

Hi,

I think the reason why the ping is not successful is that your LAN (connected to VLan interface) IP address and the pool of IP addresses assigned to the client are in the same network.

Can you try assigning a pool of IP addresses for VPn clients which is in different subnet (say 10.1.2.80 to 10.1.2.90) and then again try to ping??

You can edit the pool through Configure->Additional Tasks-> Local Pools.

You can then disconnect the client in Monitoring page and again connect it.

Regards,

Ravikumar

0 Helpful

Go to solution
thomaslaus
Level 1
Level 1
In response to reswaran

‎01-31-2005 11:58 AM

Ravikumar:

That fixed the problem. It probably should be in the 'Frequently Asked Question' topic list. I still need to get my Microsoft Network Neighborhood and drive shares working. I noticed that there were a lot of hints about 'Microsoft Network Issues' topics in this forum. I'll start searching.

Thank You

Tom

0 Helpful

Go to solution
thomaslaus
Level 1
Level 1
In response to reswaran

‎01-31-2005 12:02 PM

Thank You

Tom

0 Helpful
Customers Also Viewed These Support Documents