cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
2
Replies

VPN tunnel issues

tbogie_gvds
Level 1
Level 1

Folks,

Can you help me understand how I can resolve the following issues I have with a 1721 router (Version 12.3(8)T5) and the VPN 4.6.01.x client please.

BTW, the server at 192.168.3.2 is a file, DNS, WINS and proxy server for the LAN environment. All staff PC's are required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

Back to my issues. I have the requirement to set up a VPN tunnel to connect to a PC running terminal services / remote-desktop on a PC at 192.168.1.9. When the VPN software on the laptop is executed I get a login prompt and all appears to be fine. I ping around the router addresses and that works.

But the three things I don't understand are:

1. I can telnet quite successfully to the loopback address of the router, as well as other 192.168.x.x addresses. Fine, but why is it possible that I can telnet to the loopback address of 192.168.4.1?

2. I cannot RDC to the server on 192.168.3.2. The server can (and does) accept connections from a subnet I created on the 192.168.6.x network that I set up as VLAN6 on fa4 (the spare port on the 4 port Ether card). The only thing I didn't put into the interface configuration was the ip nat inside statement.

3. I cannot do an nslookup through the VPN tunnel(timeouts all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I'm trying to say here is that other applications don't appear to be working except telnet!)

So ...:

Why is telnet so special? I thought that if I could telnet to the router, then I should be able to access the server. And before you ask, there is no firewall or anything silly running on the server stopping connections to it. Hey, I'm the router guy, not the server jockey!

Have I managed to misunderstand the "match address 105" statement in the cryptomap? Should the ACL's reflect traffic flowing both ways?

Should I have a hash statement in the "crypto isakmp policy 5" section. The client says that the connection is OK so why should I need it?

I appreciate your time with assisting. I have been scratching my head a lot over the last couple of days.

Timothy

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

Your NAT config is what's killing you here. You can telnet to the router interface's because then the NAT configuration is not taking effect (since NAT only happens for traffic passing THROUGH the router, not TO it). You have to deny the IPSec traffic from being NAT'd, otherwise it doesn't match the crypto access-list and is not encrypted on the way back.

Your access-list 100 is incorrect, remove it and add in the following:

access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

This says don't NAT the VPN traffic going to 192.168.5.0, but do NAT it if it's going anywhere else (the Internet).

Also, you seem to have defined a static crypto map for your client traffic, this is not used and could be causing you trouble with access-list 105. Do the following to get rid of it and just use the dynamic crypto map:

no crypto map clientmap 1

You should just have the dynamic crypto map instance (number 20) left in your config.

View solution in original post

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Your NAT config is what's killing you here. You can telnet to the router interface's because then the NAT configuration is not taking effect (since NAT only happens for traffic passing THROUGH the router, not TO it). You have to deny the IPSec traffic from being NAT'd, otherwise it doesn't match the crypto access-list and is not encrypted on the way back.

Your access-list 100 is incorrect, remove it and add in the following:

access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

This says don't NAT the VPN traffic going to 192.168.5.0, but do NAT it if it's going anywhere else (the Internet).

Also, you seem to have defined a static crypto map for your client traffic, this is not used and could be causing you trouble with access-list 105. Do the following to get rid of it and just use the dynamic crypto map:

no crypto map clientmap 1

You should just have the dynamic crypto map instance (number 20) left in your config.

gfullage,

Thankyou very much for your assistance. Your answer resolved all my issues and so I give you a "5 out of 5" for your stella response.