cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
777
Views
9
Helpful
2
Replies

VPN config fail

CSCO11638397
Level 1
Level 1

Hi,

I have recently configure site to site VPN on over cisco 800 series router, ISP provide us public ip. The below configuration is working for internet, when I'm giving the crypto map command under the interface dialer 0, internet connection will down. I cannot ping outside as well. Please looking to the config and advise.

hostname VPN

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization network default local

!

!

aaa session-id common

!

!

dot11 syslog

ip cef

ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.202

!

ip dhcp pool LOCAL

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1 255.255.255.0

   lease 8

!

!

!

username user password 0 cisco

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco.12345 address xx.xx.yy.yy

!

!

crypto ipsec transform-set VPN1 esp-3des esp-md5-hmac

!

crypto map LOCACTION1-VPN 10 ipsec-isakmp

set peer xx.xx.yy.yy

set transform-set VPN1

match address 130

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/35

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname **username**

ppp chap password 0 **password**

ppp pap sent-username **username** password 0 **password**

crypto map LOCACTION1-VPN

!

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source list 120 interface Dialer0 overload

!

access-list 120 permit ip any any

access-list 130 permit ip any any

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

NOTE: I try config separate sub interface for atm 0 (interace atm 0.2 P 2 P) and gave the values but still the same problem.

1 Accepted Solution

Accepted Solutions

While I do understand the logic of John's suggestion to post in the VPN forum, I believe that this post is about problems that are not just VPN related and therefore posting in this forum is appropriate from my point of view.

Part of the reason why Internet access fails when the crypto map is applied is that the access list used for the IPSec encryption does a permit ip any any. So when the crypto map is applied to the interface then ALL traffic is encrypted and attempts to go through the VPN. So in a sense this problem is a problem with routing since you have introduced a condition that changes how you attempt to forward traffic to the Internet.

I will also point out that the access list used to control address translation also does a permit ip any any. So as you try to send traffic out the VPN you will also be trying to translate the addresses. I believe that this also causes a problem.

So the solution to the issues is probably to rewrite access list 120 and 130 to more specifically identify what traffic should go through the VPN and what traffic should have its address translated.

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

johnlloyd_13
Level 9
Level 9

hi mohamed,

please move your post to the Security section (VPN) so that i or other folks can help you troubleshoot. thanks!

While I do understand the logic of John's suggestion to post in the VPN forum, I believe that this post is about problems that are not just VPN related and therefore posting in this forum is appropriate from my point of view.

Part of the reason why Internet access fails when the crypto map is applied is that the access list used for the IPSec encryption does a permit ip any any. So when the crypto map is applied to the interface then ALL traffic is encrypted and attempts to go through the VPN. So in a sense this problem is a problem with routing since you have introduced a condition that changes how you attempt to forward traffic to the Internet.

I will also point out that the access list used to control address translation also does a permit ip any any. So as you try to send traffic out the VPN you will also be trying to translate the addresses. I believe that this also causes a problem.

So the solution to the issues is probably to rewrite access list 120 and 130 to more specifically identify what traffic should go through the VPN and what traffic should have its address translated.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: