cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
1
Replies

VPN - Network extension mode issue

CSCO11638397
Level 1
Level 1

Hi,

I need to change the access method for remote locations as network extension mode; currently the remote location users are accessing HO using the cisco vpn client software.

The server configuration and network extension mode config are below

Issues with

1. Loopback interface - When I create the loop back interface in HO, the remote location users cannot access HO. If I remove the loopback then I can ping 192.168.0.1 source 10.100.100.11.

2. I need to create both way access, and forward the interesting traffic, in that case how to configure the routing? I did static route as below on both side

Head office router

ip route 172.16.0.0 255.255.255.0 10.100.100.11  -- To forward local traffic to Remote location

Remote

ip route 192.168.0.0 255.255.255.0 10.100.100.1  -- To forward local traffic to Head office

3 the saved-password option is not working,?

Please suggest if I can accomplish this task in any other methods or point out the issue on my configurations. Thanks

Server - Router Configuration

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

aaa session-id common

ip cef

!

Username cisco password cisco1234

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group new-location

key cisco123

pool remote-pool

acl 151

save-password

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

interface FastEthernet0/0

ip address xx.yy.xy.yx 255.255.255.248 – ISP Provided public IP

ip access-group 143 in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

Interface Loopback 0

ip address 10.100.100.1 255.255.255.0

!

!

ip local pool remote-pool 10.100.100.10 100.100.100.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.yy.xy.xy – ISP public IP

ip route 172.16.0.0 255.255.255.0 10.100.100.11  ------  To forward local traffic to Remote location

!

!

ip http server

ip http secure-server

ip nat inside source list 111 interface FastEthernet0/0 overload

!

access-list 151 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 deny  ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 permit ip any any

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password 0 cisco

!

!

End

Client - Router Configuration

!

ip cef

!

!

!

Username cisco password cisco1234

!

crypto ipsec client ezvpn ez

connect auto

group new-location key cisco123

mode network-extension

peer xx.yy.xy.yx – head office ISP Provided IP

username cisco password cisco1234

xauth userid mode interactive

!

interface Loopback0

ip address 10.100.100.11 255.255.255.0

crypto ipsec client ezvpn ez inside

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

!

!

interface Vlan1

ip address 172.16.0.1 255.255.255.0

!

interface vlan2

ip address 192.168.1.2 255.255.255.0

crypto ipsec client ezvpn ez

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.0.0 255.255.255.0 10.100.100.1  ----  To forward local traffic to Head office

!

!

no ip http server

no ip http secure-server

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!End

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

Looks like duplicate post.

Here you go again:

You should remove the static route that you have configured additionally on both end as you do not require those.

Further to that, your NAT access-list should also deny traffic between 192.168.0.0/24 to 192.168.1.0/24.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: