Re: VPN Configuration on Cisco 2621

bbellamy · ‎02-05-2003

Can anyone help with this strange problem I'm having with

configurating VPN on the Cisco. I can connect with the Cisco Client

succesfuly, but I can only telnet to the devices which are not in

access list 101:

access-list 101 permit ip 10.3.200.0 0.0.0.255 any

access-list 101 permit ip 10.3.100.0 0.0.0.255 any

route-map NIC permit 5

match ip address 101

set default interface FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

The interfaces are configured as below and we're using NAT.

interface FastEthernet0/0

ip address 10.3.1.1 255.255.0.0

ip nat inside

ip policy route-map NIC

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address XXX.XXX.XXX.XXX 255.255.255.192

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

Is NAT causing the problem???

awaheed · ‎02-05-2003

Hi,

It seems that you are permitting the access-list 101 to go through and get NAtted. Is that what you want to achieve? The following should provide the help you need to get NAT and IPSec work together here hand in hand:

http://www.cisco.com/warp/public/707/25.shtml

Hope this helps,

Regards,

Aamir Waheed

Cisco Systems, Inc

CCIE#8933

-=-

bbellamy · ‎02-06-2003

I'm still unsure on the configuration changes. I have pasted the whole configuration below to make it easier to help. I can connect to the router successfully using the cisco client, but can only contact devices that aren't specified on access-list 101 - I believe this is because the NAT is being used on these address. How can I still use NAT, but still contact the devices on access-list 101. Please help me with what changes I need,

Many thanks and much appreciated, Bryan.

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXXXX

key XXXXXX

pool nicvpnpool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

isdn switch-type basic-net3

isdn voice-call-failure 0

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description Kingston Internet

ip address 21X.X.X.X 255.255.XXX.XXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent

no ip http server

!

access-list 101 remark Internet

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

!

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

!

radius-server authorization permit missing Service-Type

no call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

banner login

########################################

# #

# UNAUTHORISED ACCESS PROHIBITED #

########################################

!

line con 0

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXX

!

end