09-16-2012 12:25 AM
Hi,
I need to change the access method for remote locations as network extension mode; currently the remote location users are accessing HO using the cisco vpn client software.
The server configuration and network extension mode config are below
Issues with
1. Loopback interface - When I create the loop back interface in HO, the remote location users cannot access HO. If I remove the loopback then I can ping 192.168.0.1 source 10.100.100.11.
2. I need to create both way access, and forward the interesting traffic, in that case how to configure the routing? I did static route as below on both side
Head office router
ip route 172.16.0.0 255.255.255.0 10.100.100.11 -- To forward local traffic to Remote location
Remote
ip route 192.168.0.0 255.255.255.0 10.100.100.1 -- To forward local traffic to Head office
3 the saved-password option is not working,?
Please suggest if I can accomplish this task in any other methods or point out the issue on my configurations. Thanks
Server - Router Configuration
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
ip cef
!
Username cisco password cisco1234
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group new-location
key cisco123
pool remote-pool
acl 151
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.yy.xy.yx 255.255.255.248 – ISP Provided public IP
ip access-group 143 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
Interface Loopback 0
ip address 10.100.100.1 255.255.255.0
!
!
ip local pool remote-pool 10.100.100.10 100.100.100.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.yy.xy.xy – ISP public IP
ip route 172.16.0.0 255.255.255.0 10.100.100.11 ------ To forward local traffic to Remote location
!
!
ip http server
ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 151 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 0 cisco
!
!
End
Client - Router Configuration
!
ip cef
!
!
!
Username cisco password cisco1234
!
crypto ipsec client ezvpn ez
connect auto
group new-location key cisco123
mode network-extension
peer xx.yy.xy.yx – head office ISP Provided IP
username cisco password cisco1234
xauth userid mode interactive
!
interface Loopback0
ip address 10.100.100.11 255.255.255.0
crypto ipsec client ezvpn ez inside
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
!
!
interface Vlan1
ip address 172.16.0.1 255.255.255.0
!
interface vlan2
ip address 192.168.1.2 255.255.255.0
crypto ipsec client ezvpn ez
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.0.0 255.255.255.0 10.100.100.1 ---- To forward local traffic to Head office
!
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!End
09-16-2012 12:37 AM
Looks like duplicate post.
Here you go again:
You should remove the static route that you have configured additionally on both end as you do not require those.
Further to that, your NAT access-list should also deny traffic between 192.168.0.0/24 to 192.168.1.0/24.
Here is a sample configuration for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide