1. Home
  2. Cisco Systems
  3. c2821 vpn with bgp problem

c2821 vpn with bgp problem

Helo all

I have problem with configuring remote access. Now I have bgp with 1 peer.

Bgp address p2p 195.91.191.2/30 and my network PI 191.181.81.0/23 I'd like cisco vpn clients can access all internet via router.

I read this:

formatting link

and i make config below, but i have problem with access world. Access to my LAN is not stable. Some address from pool CLIENT_POOL2 answer correct and some not from cisco vpn client

version 12.4

crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPN key secret_key dns 192.168.1.16 wins 192.168.1.16 pool CLIENT_POOL2 ! crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1 set transform-set myset reverse-route ! crypto map dynmap client authentication list userauthen crypto map dynmap isakmp authorization list groupauthor crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap

! interface Loopback0 ip address 10.11.0.1 255.255.255.0 ip nat inside ip virtual-reassembly !

interface GigabitEthernet0/0 description My LAN ip address 192.168.1.1 255.255.248.0 ip access-group 105 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable

! interface Vlan2 description BGP peer ip address 191.181.81.129 255.255.255.128 secondary ip address 195.91.191.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip policy route-map VPN-Client crypto map dynmap !

! interface Vlan3 description my PI address ip address 191.181.81.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly ! ip local pool CLIENT_POOL2 192.168.10.1 192.168.10.254

ip nat inside source list NAT interface Vlan2 overload

ip access-list extended NAT deny ip 192.168.10.0 0.0.0.255 any permit ip 192.168.0.0 0.0.255.255 any

! route-map VPN-Client permit 10 match ip address 144 set interface Loopback0 ! access-list 144 permit ip 192.168.10.0 0.0.0.255 any

sh access-list 144 Extended IP access list 144

10 permit ip 192.168.10.0 0.0.0.255 any (3885 matches)

sh access-lists NAT Extended IP access list NAT

20 permit ip 192.168.0.0 0.0.255.255 any (2757 matches)

thx for help

Ted

Reply to
ted
Loading thread data ...

I change acl and now access to my LAN is stable but still i can't get the internet. ACL 144 is ok, capture the packet but acl 101 only few, so the nat with acl 101 didn't work. i don't have idea what is wrong :(

thx for help

actual config and some output:

crypto isakmp client configuration group VPN key secret_key dns 192.168.1.16 wins 192.168.1.16 pool CLIENT_POOL2

crypto dynamic-map dynmap 1 set transform-set myset reverse-route !

! interface Loopback0 ip address 10.11.0.1 255.255.255.0 ip nat inside ip virtual-reassembly !

interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.248.0 ip access-group 105 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow

interface Vlan2 description BGP ip address 191.181.81.129 255.255.255.128 # MY PI adresy ip address 195.91.191.2 255.255.255.252 secondary # BGP no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip policy route-map VPN-Client crypto map dynmap

ip local pool CLIENT_POOL2 192.168.10.1 192.168.10.254

ip nat inside source list 101 interface Vlan2 overload ip nat inside source list NAT interface Vlan2 overload

ip access-list extended NAT deny ip 192.168.0.0 0.0.63.255 192.168.10.0 0.0.0.255 deny ip 192.168.10.0 0.0.0.255 any permit ip 192.168.0.0 0.0.63.255 any

access-list 144 permit ip 192.168.10.0 0.0.0.255 any

! route-map VPN-Client permit 10 match ip address 144 set interface Loopback0 !

#sh access-lists 101 Extended IP access list 101 10 permit ip 192.168.10.0 0.0.0.255 any 20 permit ip 10.0.0.0 0.255.255.255 any (15 matches) 30 permit ip 10.1.0.0 0.0.255.255 any

#sh access-lists 144 Extended IP access list 144 10 permit ip 192.168.10.0 0.0.0.255 any (9425 matches)

sh ip nat statistics

-- Inside Source [Id: 3] access-list 101 interface Vlan2 refcount 0 [Id: 1] access-list NAT interface Vlan2 refcount 122

Reply to
ted

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.