12-09-2013 10:49 PM
Hi,
I need help with my VPN configuration, I was able to authenticate to my VPN using Anyconnect, I can also PING the IP of the router and access its CLI, the problem is I cannot connect to other network resource.
Please see configuration below which I got from the CISCO Website, I think this is a pretty basic configuration, I'm quite new on configuring VPN so I really need some help to understand much of its configuration. Thank you very much!
Building configuration...
Current configuration : 2288 bytes
!
! Last configuration change at 05:52:55 UTC Tue Dec 10 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable password 12345678
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username cisco password 0 c1sc0
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.100.210 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.5.5.10 10.5.5.15
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 111 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.254
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 101 permit ip any any
access-list 111 deny ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 111 permit ip any any
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
password 12345678
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
password 12345678
transport input all
!
scheduler allocate 20000 1000
!
end
12-10-2013 08:37 AM
Try removing the line
access-list 101 permit ip any any
It sounds like you want to setup split tunneling, but with the access-list 101 permit ip any any line you end up tunneling all.
12-12-2013 06:37 PM
Hi Sir,
I've already removed the line as advised, but the problem still persist.
12-13-2013 06:21 AM
Jon, can you clarify what other resources it is you're trying to reach? Is is something behind the VPN router, i.e. resources on its LAN interface, or is it resources on the network you client is located? Every network you'll want to reach behind the VPN router will need to be defined in the access-list 101. And then it would have to be denied in access-list 111. To enable local lan access you'd also have to set it on the client's anyconnect options.
12-15-2013 06:10 PM
Hi William,
Thanks for your reply.
I'm trying to access the whole 192.168.100.0 network, and yes, it is behind the VPN Router. If I want to access 192.168.100.0, is the configuration below correct? FYI, this is what I've already define on my configuration.
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 111 deny ip 192.168.100.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 111 permit ip any any
May I also ask what do I need to change on Anyconnect? Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide