Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
5
Replies

vpn connection issue

aconticisco
Level 2
Level 2

‎08-23-2011 07:49 AM

Hello,

I managed to setup a 1721 router as a vpn server connecting to it using a cisco vpn client however altough I am obtaining an ip address as defined in the dhcp pool I am unable to communicate with both the remote network and also I have no internet as soon as I connect.

Is there anything in particular that might cause this connection issue or maybe you can refer me to a link which can help further.

Thanks!

Labels:
0 Helpful
5 Replies 5

raga.fusionet
Level 4
Level 4

‎08-23-2011 08:13 AM

Hello,

First I would check that you are using an IP Pool on a different subnet than the physical network to which you are trying to connect. For example if your internal subnet is 10.10.10.0/24 your VPN Pool should be on a different subnet, for example 10.10.20.0 /24.

Once you have checked that I would check that you are doing a NAT Bypass for the VPN traffic. You need to deny the traffic between the internal subnet and the IP Pool. With the subnets I used above your NAT config should look something like:

access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list 111 interface FastEthernet1/0 overload

That should allow you get access to the internal hosts.

Now about the Internet access you need to enable split tunneling, to do this you would need to create a separate ACL and specify the traffic that needs to be encrypted (traffic between your internal subnet(s) and your VPN Pool). Using again the subnets that I mentioned above it should look something like:

access-list 150 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

Then apply that ACL to your VPN group, e.g.

crypto isakmp client configuration group vpnclient

acl 150

Here is a config example that explains this type of config:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

I hope this helps.

Raga

0 Helpful

Mario Mastromattei
Level 1
Level 1

‎08-23-2011 08:14 AM

Did you specify which networks your capable of getting to?

You can be assigned a dhcp address but depending on your rules, you can be stopped from accessing non allowed networks.

0 Helpful

aconticisco
Level 2
Level 2

‎08-24-2011 10:34 PM

My current setup consists of just a 1721 router with an ethernet connection for the local network and a adsl card for the wan connection. Does this make a difference to the settings explained above or they apply the same.

Thanks!

0 Helpful

raga.fusionet
Level 4
Level 4
In response to aconticisco

‎08-25-2011 06:04 AM

The apply the same regardless of the HW.  If you are still having problem after the changes we suggested, please share your config with us. Thanks!

0 Helpful

aconticisco
Level 2
Level 2
In response to raga.fusionet

‎08-25-2011 10:15 AM

Hello,

sorry I gave up trying as I am not able to connect to the other hosts on the 192.168.1.0 network while connected through vpn.

Current configuration : 11198 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname dslrouter

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

enable secret level 1 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login AAA-VPN local

aaa authorization network AAA-VPN local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.254

ip dhcp excluded-address 192.168.10.0 192.168.10.10

ip dhcp excluded-address 192.168.1.0 192.168.1.10

ip dhcp excluded-address 192.168.20.0 192.168.20.10

!

ip dhcp pool vlan10-Pool

   network 192.168.10.0 255.255.255.0

   domain-name home.local

   dns-server 194.158.37.196

   default-router 192.168.10.2

!

ip dhcp pool vlan20-pool

   network 192.168.20.0 255.255.255.0

   dns-server 194.158.37.196

   default-router 192.168.20.2

!

ip dhcp pool mainpool

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.2

   dns-server 194.158.37.196 194.158.37.211

!

!

ip domain name xxxxx.com

ip name-server 194.158.37.196

ip ssh time-out 75

ip dhcp-server 192.168.1.2

vpdn enable

!

!

!

!

crypto pki trustpoint TP-self-signed-265198023

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-265198023

revocation-check none

rsakeypair TP-self-signed-265198023

!

!

crypto pki certificate chain TP-self-signed-265198023

certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32363531 39383032 33301E17 0D303230 33303130 35323835

  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 35313938

  30323330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  D7A89B37 B70BEC63 2115B391 B5A34174 DD526F68 EF7DCC0C 0BD225CE 4F0735C1

  5623273E E48A1BC5 8651E5EA FCE60E7C 5673CBC9 06F16BF4 FDD19A0E 6548EE60

  787DFA09 A1F80D45 41E14865 58CDD498 9DD7CF05 A9B3C0B7 B7BB6DE3 7C345AA9

  28C5EE74 89346A4B 11649D74 F51C87EC 53F381B7 5A5E59C4 A1ED910B 594A7FA9

  02030100 01A37B30 79300F06 03551D13 0101FF04 05300301 01FF3026 0603551D

  11041F30 1D821B64 736C726F 75746572 2E61636F 6E74696F 6E6C696E 652E696E

  666F301F 0603551D 23041830 16801402 1D41D07E F08BDF72 56FEFB17 1B8276D3

  0A9B2D30 1D060355 1D0E0416 0414021D 41D07EF0 8BDF7256 FEFB171B 8276D30A

  9B2D300D 06092A86 4886F70D 01010405 00038181 00A893F5 202C9A46 973B7DFA

  61142393 70C686BD 9BDBFCDB B69E1CC4 96E98973 B5093EF5 D21E75B9 525F490F

  1A5D42AA 3D7F444C 73569CC1 8B1F64E2 A81ACFD9 CBE7F138 11A78172 982AA814

  8B8343E7 C1EDF79C 8EFA515E B82A9C04 754B33A8 1C1417D7 4DC2C473 B1F48EA0

  3A9DA567 380A8F7D 207C4B86 DFB3568A D474E0A9 C4

  quit

username and1 secret 5 xxxxxxxxxxxxxxxxxxxxxxx

username and privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnall

key xxxxxxxxxxxxxxxxxx

dns 192.168.1.2

pool VPNALLPOOL

!

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set 3des-sha

reverse-route

!

!

crypto map vpn client authentication list AAA-VPN

crypto map vpn isakmp authorization list AAA-VPN

crypto map vpn client configuration address respond

crypto map vpn 10 ipsec-isakmp dynamic dynmap

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

no ip address

ip access-group 103 in

ip mtu 1450

ip nat inside

ip virtual-reassembly

speed auto

!

interface FastEthernet0.1

description $FW_INSIDE$

encapsulation dot1Q 1 native

ip address 192.168.1.2 255.255.255.0

ip access-group 100 in

ip mtu 1492

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.10

description $FW_INSIDE$

encapsulation dot1Q 10

ip address 192.168.10.2 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.20

description $FW_INSIDE$

encapsulation dot1Q 20

ip address 192.168.20.2 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface Dialer1

description ***Outside***$FW_OUTSIDE$

ip address negotiated

ip access-group 103 in

ip access-group 104 out

ip mtu 1492

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

ppp authentication pap callin

ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx

crypto map vpn

!

ip local pool VPNALLPOOL 192.168.2.180 192.168.2.190

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

ip http secure-server

ip nat inside source route-map RM-POLICY-NAT interface Dialer1 overload

ip nat inside source static tcp 192.168.1.50 25 195.158.102.241 25 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 192.168.1.11 80 195.158.102.241 80 route-map SDM_RMAP_2 extendable

ip dns server

!

ip access-list extended ACL-POLICY-NAT

remark SDM_ACL Category=18

deny   tcp host 192.168.1.11 eq www any

deny   tcp host 192.168.1.50 eq smtp any

deny   ip any host 192.168.2.180

deny   ip any host 192.168.2.181

deny   ip any host 192.168.2.182

deny   ip any host 192.168.2.183

deny   ip any host 192.168.2.184

deny   ip any host 192.168.2.185

deny   ip any host 192.168.2.186

deny   ip any host 192.168.2.187

deny   ip any host 192.168.2.188

deny   ip any host 192.168.2.189

deny   ip any host 192.168.2.190

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any 192.168.2.0 0.0.0.255

ip access-list extended acl_firewall

permit esp any any

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

!

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 192.168.10.0 0.0.0.255 any

access-list 100 deny   ip 192.168.20.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 deny   ip 192.168.20.0 0.0.0.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny   ip 192.168.10.0 0.0.0.255 any

access-list 102 deny   ip 192.168.1.0 0.0.0.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 permit tcp any host 195.158.102.241 eq smtp

access-list 103 permit tcp any host 195.158.102.241 eq www

access-list 103 permit udp host 194.158.37.196 eq domain any

access-list 103 permit ahp any any

access-list 103 permit esp any any

access-list 103 permit udp any any eq isakmp

access-list 103 permit udp any any eq non500-isakmp

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 deny   ip 192.168.1.0 0.0.0.255 any

access-list 103 deny   ip 192.168.20.0 0.0.0.255 any

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

access-list 103 deny   ip 172.16.0.0 0.15.255.255 any

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip host 0.0.0.0 any

access-list 103 deny   ip any any log

access-list 104 remark SDM_ACL Category=2

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.190

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.189

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.188

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.187

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.186

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.185

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.184

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.183

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.182

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.181

access-list 104 deny   ip host 192.168.1.50 host 192.168.2.180

access-list 104 permit tcp host 192.168.1.50 eq smtp any

access-list 104 deny   icmp host 192.168.1.12 any

access-list 104 permit ip any any

access-list 105 remark SDM_ACL Category=2

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.190

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.189

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.188

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.187

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.186

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.185

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.184

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.183

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.182

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.181

access-list 105 deny   ip host 192.168.1.11 host 192.168.2.180

access-list 105 permit tcp host 192.168.1.11 eq www any

route-map RM-POLICY-NAT permit 10

match ip address ACL-POLICY-NAT

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

route-map SDM_RMAP_2 permit 1

match ip address 105

!

!

control-plane

!

!

line con 0

session-timeout 15

password 7 xxxxxxxxxxxxxxxx

line aux 0

line vty 0 4

exec-timeout 240 0

password 7 xxxxxxxxxxxxxxxxxx

transport input ssh

line vty 5 15

exec-timeout 240 0

transport input ssh

!

end

Thanks !

0 Helpful
Customers Also Viewed These Support Documents