Have a question or want to start a discussion? Post it! No Registration Necessary.
Now with pictures!
- Mike jones
January 17, 2007, 8:36 am

Hi everybody...
I'm try to setup a VPN server using a 3662. I would like to be able to
connect to the VPN server using the cisco VPN client. I would also like the
router to do NAT for the local LAN. Currently I can only do one at a time.
If I disable the inside nat translation ( no ip nat inside source list NAT
interface FastEthernet0/0 overload) my VPN client can talk to the LAN but my
lan pc can't get to the Internet. If I enable NAT my lan pcs can get to the
Internet but the VPN client cannot get to the LAN. Here is my config....
Current configuration : 2440 bytes
!
! Last configuration change at 23:01:55 AKST Tue Jan 16 2007
! NVRAM config last updated at 23:09:33 AKST Tue Jan 16 2007 by ljones
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3662-1
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone AKST -9
clock summer-time AKST recurring
ip subnet-zero
!
!
ip cef
!
!
!
!
!
username me privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNgroup
key cisco
dns 192.168.1.3 192.168.1.2
wins 192.168.1.2
domain bluphisolutions.com
pool VPNpool
crypto isakmp profile VPNclient
match identity group VPNgroup
client authentication list clientauth
isakmp authorization list groupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DynVPNmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile VPNclient
!
!
crypto map VPNmap 1 ipsec-isakmp dynamic DynVPNmap
!
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNmap
!
interface FastEthernet0/1
description LAN
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip local pool VPNpool 192.168.10.2 192.168.10.254
ip http server
no ip http secure-server
ip classless
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
logging facility syslog
logging 192.168.1.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password cisco
logging synchronous
!
ntp clock-period 17179883
ntp server 192.43.244.18
!
end
I'm try to setup a VPN server using a 3662. I would like to be able to
connect to the VPN server using the cisco VPN client. I would also like the
router to do NAT for the local LAN. Currently I can only do one at a time.
If I disable the inside nat translation ( no ip nat inside source list NAT
interface FastEthernet0/0 overload) my VPN client can talk to the LAN but my
lan pc can't get to the Internet. If I enable NAT my lan pcs can get to the
Internet but the VPN client cannot get to the LAN. Here is my config....
Current configuration : 2440 bytes
!
! Last configuration change at 23:01:55 AKST Tue Jan 16 2007
! NVRAM config last updated at 23:09:33 AKST Tue Jan 16 2007 by ljones
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3662-1
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone AKST -9
clock summer-time AKST recurring
ip subnet-zero
!
!
ip cef
!
!
!
!
!
username me privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNgroup
key cisco
dns 192.168.1.3 192.168.1.2
wins 192.168.1.2
domain bluphisolutions.com
pool VPNpool
crypto isakmp profile VPNclient
match identity group VPNgroup
client authentication list clientauth
isakmp authorization list groupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DynVPNmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile VPNclient
!
!
crypto map VPNmap 1 ipsec-isakmp dynamic DynVPNmap
!
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNmap
!
interface FastEthernet0/1
description LAN
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip local pool VPNpool 192.168.10.2 192.168.10.254
ip http server
no ip http secure-server
ip classless
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
logging facility syslog
logging 192.168.1.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password cisco
logging synchronous
!
ntp clock-period 17179883
ntp server 192.43.244.18
!
end
Site Timeline
- » Making The Pirate Bay obsolete
- — Next thread in » Cisco Certification
-
- » BGP + Route map + Next Hop
- — Previous thread in » Cisco Certification
-
- » iPhone SUPER 80% discounts
- — Newest thread in » Cisco Certification
-
- » Helper Woes
- — The site's Newest Thread. Posted in » CCTV, Alarms and other Physical Security
-