Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
1
Replies

VPN client - IOS Router - remote LAN problem

piotrc
Level 1
Level 1

‎05-20-2005 07:01 AM - edited ‎02-21-2020 01:47 PM

I have 2611XM with VPN server. After connecting from PC with VPN Client I can ping only local addresses of router. I can't even ping other side of point-to-point link.

Below is part of router configuration:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

enable secret 5 <removed>

!

aaa new-model

!

aaa authentication login default group tacacs+

aaa authentication login no_tacacs enable

aaa authentication login userauthen group tacacs+

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+ if-authenticated

aaa authorization network groupauthor local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa session-id common

ip subnet-zero

ip cef

!

!

no ip domain lookup

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group VPN-GROUP

key <removed>

domain <removed>

pool vpnpool

!

!

crypto ipsec transform-set vpncypset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set vpncypset

!

!

crypto map clientmap local-address Loopback98

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Loopback0

ip address 172.31.97.203 255.255.255.255

!

interface Loopback26

ip address 10.0.26.254 255.255.255.252

!

interface Loopback98

description VPN termination

ip address X.Y.Z.23 255.255.255.255

crypto map clientmap

!

interface Loopback254

ip address 10.0.254.26 255.255.255.255

!

interface Tunnel98

description Internet VPN

ip address X.Y.Z.54 255.255.255.252

ip nat inside

tunnel source 10.0.254.26

tunnel destination 10.0.10.6

crypto map clientmap

!

interface Tunnel99

description Main internet access

bandwidth 1024

ip address 10.0.26.81 255.255.255.252

ip nat outside

tunnel source 10.0.254.26

tunnel destination 10.10.0.3

tunnel mode ipip

!

interface FastEthernet0/0

description To other NET interface

ip address 172.31.99.253 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

bandwidth 2048

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0.101 point-to-point

bandwidth 256

ip address 172.31.97.25 255.255.255.252

ip nat inside

frame-relay interface-dlci 101

!

interface FastEthernet0/1

description Local address

ip address 10.10.26.193 255.255.0.0

ip nat outside

duplex auto

speed auto

!

ip local policy route-map VPN_OUT

ip local pool vpnpool 172.31.89.1 172.31.89.254

ip nat inside source list OtherNetAccess_acl interface Tunnel99 overload

ip nat inside source static network 172.31.0.0 172.26.0.0 /16

ip nat outside source static 10.0.10.80 172.31.96.80

ip nat outside source static 10.4.1.200 172.31.96.200

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.26.82

ip route 10.0.26.0 255.255.255.0 10.10.0.2

ip route 10.4.1.0 255.255.255.0 10.10.0.1

ip route 172.31.89.0 255.255.255.0 X.Y.Z.53

ip route 172.31.96.80 255.255.255.255 10.0.26.82

ip route 172.31.96.200 255.255.255.255 10.10.0.1

!

ip access-list standard IN-MY-NET_acl

permit 172.31.96.0 0.0.0.255

permit 172.31.89.0 0.0.0.255

ip access-list standard VPN_OUT_acl

permit X.Y.Z.23

ip access-list standard OtherNetAccess_acl

permit 10.35.0.0 0.0.255.255

!

route-map IN-MY-NET permit 10

match ip address IN-MY-NET_acl

!

route-map VPN_OUT permit 10

description VPN Clients out

match ip address VPN_OUT_acl

set ip next-hop X.Y.Z.53

!

tacacs-server host 10.4.1.7 key 7 <removed>

!

line con 0

login authentication no_tacacs

line aux 0

line vty 0 4

session-timeout 25

password 7 <removed>

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎05-26-2005 11:17 AM

I see that RRI configration is missing in your router configuration. Reverser Route Injection is used to advertise your client's IP address to the internal LAN. After RRI is configured and when your client connects to the VPN server, the server installs a static route on the server. You then will have to redistribute this to your internal LAN so that the internal LAN devices can reach the VPN client. Once the client disconnects, this static route is removed.

Configure this under the group command;

crypto isakmp client configuration group VPN-GROUP

key

domain

pool vpnpool

rri

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents