Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1245
Views
4
Helpful
6
Replies

vpn config issue

saul alonso ramos
Level 1
Level 1

ā€Ž08-16-2012 05:34 AM

Hi All,

I'm trying to configure a vpn in my 1841 to have remote access and the problem

is that i cannot ping the internal network from the remote client (pc + cisco vpn client).

I can ping the 10.12.0.21 that is the internal ip of my router.

Please advise me, thanks

config:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1841FIBER

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization network default local

!

!

aaa session-id common

memory-size iomem 15

dot11 syslog

ip source-route

!

!

!

!

ip cef

ip domain name alturna

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3244106629

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3244106629

revocation-check none

rsakeypair TP-self-signed-3244106629

!

!

crypto pki certificate chain TP-self-signed-3244106629

certificate self-signed 01

  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323434 31303636 3239301E 170D3132 30383135 30393232

  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32343431

  30363632 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100960E 3C63AC1C 52CC58F8 3D7EE8E0 B71BA46E 7ABD9414 49FD4D1A D010C2E5

  33061B8B 54D9AE25 90914C81 7DDAB429 F6DDF513 8B73D4D4 A41F9985 6B4949E2

  C4A284F9 5DF68213 A8F7A409 57E93BFF A58EAB7A 10D64B2F BC5FAADC CF939DE2

  46594C5A 934BD608 10974AF4 D3FCE532 51DBF69D 8A031EF6 3510C68C D42E0FDC

  3DE30203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603

  551D1104 15301382 11313834 31464942 45522E61 6C747572 6E61301F 0603551D

  23041830 1680148D 5D7B5F7E A44CF530 9486A5E8 5E036631 CA9CF730 1D060355

  1D0E0416 04148D5D 7B5F7EA4 4CF53094 86A5E85E 036631CA 9CF7300D 06092A86

  4886F70D 01010405 00038181 007813F7 5761457B 92657CA1 34076535 C04EC5DC

  B2D31C9B BDD5DF63 6EAB5507 17A69964 FB493295 33C92C96 053D763D 743EE2C4

  42BCAEEA 981DBA65 B4BD2342 66ADC436 71955F7F 2C10770A 61312ACB 83AF6AD3

  4621B3CD 423251D6 93486CED 077AE536 EDB77052 43566730 EEAFAECC DAB092B3

  60CCFA87 3286935E 1B8B37F4 7A

        quit

!        

!

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxx

username cisco privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxx

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto isakmp client configuration group cisco

key cisco

pool dpool

acl 101

crypto isakmp profile vi

   match identity group cisco

   isakmp authorization list default

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set set esp-3des esp-sha-hmac

!

crypto ipsec profile vi

set transform-set set

set isakmp-profile vi

!

!

!

!

ip ssh version 2

!

policy-map FOO

class class-default

    shape average 1280000

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description CONNECTED_TO_FTTH

ip address XXXXXXXXXXX 255.255.255.248

ip access-group 100 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description CONNECTED_TO_DATA_VLAN

ip address 10.12.0.21 255.255.255.0

ip nat inside

ip virtual-reassembly

negotiation auto

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/1

tunnel source FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile vi

service-policy output FOO

!

router eigrp 1

network 10.0.0.0

network 192.168.20.0

no auto-summary

!

ip local pool dpool 5.0.0.1 5.0.0.3

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXXXXXXXX permanent

no ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 1 interface FastEthernet0/1 overload

!

access-list 1 permit 10.12.0.0 0.0.0.255

access-list 100 deny   tcp any any eq telnet

access-list 100 deny   tcp any any eq 22

access-list 100 deny   tcp any any eq www

access-list 100 permit ip any any

access-list 101 permit ip 10.12.0.0 0.0.0.255 any

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

ntp server 213.239.154.12

ntp server 212.45.32.36

ntp server 109.72.80.61

ntp server 87.251.35.240

end

Labels:
0 Helpful
6 Replies 6

Oleg Volkov
Spotlight
Spotlight

ā€Ž08-16-2012 06:21 AM

You can try disable NAT from  10.12.0.0 to 5.0.0.1

Do You realy want route all traffic from PC in tunnel?

If You do not want this, You must make split-tunnel.

------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

saul alonso ramos
Level 1
Level 1
In response to Oleg Volkov

ā€Ž08-16-2012 06:54 AM

Hi Oleg,

I want the remote pcs to have access to the internal network (10.12.0.0) only,

how can i disable NAT only for 5.0.0.0 subnet and configure the split-tunnel?

Thanks a lot.

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to saul alonso ramos

ā€Ž08-16-2012 08:09 AM

You can try to do this:

ip access-list extended RVPNACL

permit ip 10.12.0.0 0.0.0.255 5.0.0.0 0.0.0.255

ip access-list extended NATACL

deny ip 10.12.0.0 0.0.0.255 5.0.0.0 0.0.0.255

permit ip any any

crypto isakmp client configuration group cisco

netmask 255.255.255.0

no acl 101

acl RVPNACL

no ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list NATACL interface FastEthernet0/1 overload

------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

saul alonso ramos
Level 1
Level 1
In response to Oleg Volkov

ā€Ž08-17-2012 03:50 AM

Hi, still the same problem.

I can ping to the router internal address but I cannot access to the network devices.

Thanks for your help.

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to saul alonso ramos

ā€Ž08-17-2012 05:10 AM

Do You remember, if Your router with VPN do not work as default gateway on Your PC, You must manually set route to remote network on Your PC.

Also, You can debug NAT translation on the router. Traffic from one LAN to other remote LAN must be not NAT translation

------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

saul alonso ramos
Level 1
Level 1
In response to Oleg Volkov

ā€Ž08-17-2012 05:39 AM

Hi Oleg,

First thanks for your answers, finally i configured again a ezvpn with ccp

before config the nat and now is working perfectly.

Thanks

0 Helpful
Customers Also Viewed These Support Documents