09-16-2012 12:25 AM
Hi,
I need to change the access method for remote locations as network extension mode; currently the remote location users are accessing HO using the cisco vpn client software.
The server configuration and network extension mode config are below
Issues with
1. Loopback interface - When I create the loop back interface in HO, the remote location users cannot access HO. If I remove the loopback then I can ping 192.168.0.1 source 10.100.100.11.
2. I need to create both way access, and forward the interesting traffic, in that case how to configure the routing? I did static route as below on both side
Head office router
ip route 172.16.0.0 255.255.255.0 10.100.100.11 ••à To forward local traffic to Remote location
Remote
ip route 192.168.0.0 255.255.255.0 10.100.100.1 ••à To forward local traffic to Head office
3 the saved-password option is not working,?
Please suggest if I can accomplish this task in any other methods or point out the issue on my configurations. Thanks
Server - Router Configuration
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
ip cef
!
Username cisco password cisco1234
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group new-location
key cisco123
pool remote-pool
acl 151
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.yy.xy.yx 255.255.255.248 – ISP Provided public IP
ip access-group 143 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
Interface Loopback 0
ip address 10.100.100.1 255.255.255.0
!
!
ip local pool remote-pool 10.100.100.10 100.100.100.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.yy.xy.xy – ISP public IP
ip route 172.16.0.0 255.255.255.0 10.100.100.11 ------ To forward local traffic to Remote location
!
!
ip http server
ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 151 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 0 cisco
!
!
End
Client - Router Configuration
!
ip cef
!
!
!
Username cisco password cisco1234
!
crypto ipsec client ezvpn ez
connect auto
group new-location key cisco123
mode network-extension
peer xx.yy.xy.yx – head office ISP Provided IP
username cisco password cisco1234
xauth userid mode interactive
!
interface Loopback0
ip address 10.100.100.11 255.255.255.0
crypto ipsec client ezvpn ez inside
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
!
!
interface Vlan1
ip address 172.16.0.1 255.255.255.0
!
interface vlan2
ip address 192.168.1.2 255.255.255.0
crypto ipsec client ezvpn ez
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.0.0 255.255.255.0 10.100.100.1 ---- To forward local traffic to Head office
!
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!End
09-18-2012 06:46 AM
Hi Jennifer,
while the vpn is connected I cannot ping 4.2.2.2, to use internet I have to down the vpn. I belive some acl is blocking ... ?
09-18-2012 06:50 AM
Pls share the output of:
show cry isa sa
show cry ipsec sa
without that, we don't know exactly where it's failing or if the split tunnel ACL gets injected to the remote router.
09-18-2012 07:03 AM
Router#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 2007 ACTIVE
IPv6 Crypto ISAKMP SA
Router#show cryp ipse sa
interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x85B824EA(2243437802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBA848970(3129248112)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4411097/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x85B824EA(2243437802)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4411097/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Dialer0-head-0, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x85B824EA(2243437802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBA848970(3129248112)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4411097/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x85B824EA(2243437802)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4411097/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Router#
1.1.1.1 - peer ip
2.2.2.2 - local ip
09-18-2012 07:14 AM
Hmm. that output looks good too..
If you disable "ip cef", does it work?
09-18-2012 08:14 AM
Hi Jennifer,
I try disabling IP CEF still internet is not working for PCs on remote location.but I can ping from the router to 4.2.2.2 while VPN is ON.
Please share your idea regarding,
interface dialer 0 - any issue having both VPN and IP NAT
I check the show ip nat trans - no records so I guess my be ACL have any issue
ACL 120
Router#show access-lists 120
Extended IP access list 120
10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log
30 permit ip 10.200.192.0 0.0.0.255 any
40 permit ip any any (2 matches)
Router#show access-lists 120
Extended IP access list 120
10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log
30 permit ip 10.200.192.0 0.0.0.255 any
40 permit ip any any (2 matches)
09-19-2012 02:34 AM
Hi Jennifer,
do we have to configure allowing multiple encapsulation to allow VPN and Internet on ATM interface? any idea please...
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide