Cisco 1760 router and VPN client Connection Issues

suggest you use a different address range for VPN pool

try using 172.16.1.x-y

I have changed it to the config below, but I am still not able to login with the cisco secure vpn client. Not sure where the mistake is.

c1760#sh run Building configuration...

Current configuration : 3615 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log uptime service password-encryption ! hostname c1760 ! boot-start-marker boot-end-marker ! enable password 7 xxxx ! aaa new-model ! aaa authentication login my_userauthen local aaa authorization network my_groupauthor local ! aaa session-id common ! resource policy ! ip cef ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.254 ip dhcp excluded-address 192.168.1.1 192.168.1.20 ! ip dhcp pool my_dhcp network 192.168.1.0 255.255.255.0 dns-server 212.71.8.11 212.71.0.2 default-router 192.168.1.254 ! ip domain name dyndns.org ip host members.dyndns.org 63.208.196.96 ip name-server 212.71.8.11 ip name-server 212.71.0.2 ip ddns update method my_dyndns HTTP add http://xxx:xxx@/nic/update?system=dyndns&hostname=&myip= interval maximum 28 0 0 0 ! username xxx password xxx ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group my_clientconfig key annika pool my_vpnippool include-local-lan ! crypto ipsec transform-set my_trafoset esp-des esp-sha-hmac ! crypto dynamic-map my_dyncmap 10 set transform-set my_trafoset reverse-route ! crypto map my_cmap client authentication list my_userauthen crypto map my_cmap isakmp authorization list my_groupauthor crypto map my_cmap client configuration address respond crypto map my_cmap 10 ipsec-isakmp dynamic my_dyncmap ! interface ATM0/0 no ip address load-interval 30 no atm ilmi-keepalive dsl operating-mode auto pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0/0 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly speed auto ! interface Dialer0 ip ddns update hostname evwaes.dyndns.org ip ddns update my_dyndns host members.dyndns.org ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxx@xxx ppp chap password xxxx crypto map my_cmap ! ip local pool my_vpnippool 172.16.1.1 172.16.1.10 ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ip nat inside source list 1 interface Dialer0 overload ip nat inside source static udp 192.168.1.221 10002 interface Dialer0

10002 ip nat inside source static udp 192.168.1.221 10001 interface Dialer0 10001 ip nat inside source static udp 192.168.1.221 10000 interface Dialer0 10000 ip nat inside source static udp 192.168.1.221 5060 interface Dialer0 5060 ip nat inside source static tcp 192.168.1.221 22 interface Dialer0 22 ip nat inside source static tcp 192.168.1.221 20 interface Dialer0 20 ip nat inside source static tcp 192.168.1.221 110 interface Dialer0 110 ip nat inside source static tcp 192.168.1.221 25 interface Dialer0 25 ip nat inside source static tcp 192.168.1.221 21 interface Dialer0 21 ip nat inside source static tcp 192.168.1.221 11888 interface Dialer0 11888 ip nat inside source static tcp 192.168.1.221 80 interface Dialer0 80 ip nat inside source static tcp 192.168.1.221 23 interface Dialer0 23 ip nat inside source route-map nonat interface Dialer0 overload ! logging 192.168.1.221 access-list 1 permit any access-list 100 permit ip any any dialer-list 1 protocol ip permit ! route-map nonat permit 10 match ip address 100 ! control-plane ! !line con 0 line aux 0 line vty 0 4 password xxx ! end

I'm assuming you can ping the public IP from outside and that you are able to telnet to your router through the Internet as well.

Have you tried pinging with 1500-byte packets with the df bit set?

Have you tried running any debugs?

On 6 Jan, 17:28, p_teatreeoil wrote:

I have a working router configuration from a while back. It has a load of unnecesary bits in it and may be too complex to help. It also has at least one point to point VPN too.

Both the Point to point permanent VPN and the Cisco VPN client worked.

I have not tried to strip out all of the rubbish - sorry but I am concerned that I may miss something,

In particular check out the no-xauth. I have NO IDEA what it might do but I had to add something like it to a PIX to get the Client VPN working.

If you still have trouble let me know (here) and I might be able to have a look.

This was done years ago (3 at least) so some things may have changed.

abcuk#sh run Building configuration...

no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname abcuk ! logging buffered 32000 debugging no logging console ! username abcClient password 123456 aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common ip domain name abcglobal.com ip name-server 123.110.64.10 ip name-server 123.110.64.11 ! ! ip cef

! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key 0 fred address 123.156.40.110 no-xauth No-xauth probably needed I didn't try it without. ! crypto isakmp client configuration group 3000client key 0 123456789 dns 192.168.168.1 Wrong DNS address. CRAP. 166 domain abclon.corp.abcglobal.com pool ippool acl split-tunnel ! ! crypto ipsec transform-set ciscofw2 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 5 set transform-set ciscofw2 ! ! crypto map fw1 client authentication list userauthenticate crypto map fw1 isakmp authorization list groupauthorise crypto map fw1 client configuration address respond crypto map fw1 10 ipsec-isakmp set peer 123.156.40.110 set security-association lifetime seconds 86400 set transform-set ciscofw2 match address 110 crypto map fw1 15 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description $FW_INSIDE$ abc London ### ip address 192.168.166.254 255.255.255.0 ip access-group E0-in in no ip redirects no ip proxy-arp ip nat inside no ip route-cache cef ip tcp adjust-mss 1392 no ip mroute-cache no cdp enable hold-queue 32 in hold-queue 100 out ! interface Ethernet1 description $FW_OUTSIDE$ Secviced Office outside Ethernet ip address 213.234.103.41 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip inspect INTERNET-IN in ip inspect INTERNET-OUT out ip audit INTERNET-IN in ip audit INTERNET-OUT out no ip route-cache cef duplex auto no cdp enable crypto map fw1 ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip local pool ippool 10.10.166.1 10.10.166.254 ip nat inside source route-map nonat interface Ethernet1 overload ip nat inside source static 192.168.166.1 213.234.103.46 route-map static-nat extendable ip classless ip route 0.0.0.0 0.0.0.0 213.234.103.254 ip http server ip http access-class 23 ip http authentication local ip http secure-server ! ! ip access-list extended E0-in permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq telnet permit tcp 192.168.166.0 0.0.0.255 any eq 3101 permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq 22 permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq www permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq 443 permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq cmd permit tcp 192.168.166.0 0.0.0.255 host 192.168.166.254 eq 161 remark Allow Crypto Traffic permit ip 192.168.166.0 0.0.0.255 192.168.58.0 0.0.0.255 permit ip 192.168.166.0 0.0.0.255 host 231.123.16.125 permit udp host 0.0.0.0 any eq bootps permit udp host 0.0.0.0 any eq bootpc permit ip any 192.168.166.0 0.0.0.255 permit ip any 10.10.166.0 0.0.0.255 Permit VPN Client traffic in to Inside. deny ip any 10.0.0.0 0.255.255.255 log deny ip any 127.0.0.0 0.255.255.255 log deny ip any 172.16.0.0 0.15.255.255 log deny ip any 224.0.0.0 31.255.255.255 log deny ip any 192.168.0.0 0.0.255.255 log deny ip any 192.0.2.0 0.0.0.255 log deny ip any 169.254.0.0 0.0.255.255 log deny ip any host 192.168.166.254 log deny ip any host 217.110.1.233 log permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq www permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 443 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq domain permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 123 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq ntp permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 264 permit tcp 192.168.166.0 0.0.0.255 any eq 500 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 554 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5800 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq 5900 permit udp 192.168.166.0 0.0.0.255 gt 1023 any eq 7070 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq smtp permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq pop3 permit tcp 192.168.166.0 0.0.0.255 gt 1023 any eq ftp remark Bloomberg permit tcp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 8194

8294 permit tcp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 8194 8294 permit tcp 192.168.166.0 0.0.0.255 205.216.112.0 0.0.0.255 range 8194 8294 permit tcp 192.168.166.0 0.0.0.255 208.22.56.0 0.0.0.255 range 8194 8294 permit tcp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 8194 8294 permit udp 192.168.166.0 0.0.0.255 160.43.250.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 206.156.53.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 205.216.112.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 208.22.56.0 0.0.0.255 range 48129 48192 permit udp 192.168.166.0 0.0.0.255 208.22.57.0 0.0.0.255 range 48129 48192 permit icmp 192.168.166.0 0.0.0.255 any deny tcp any any range 0 65535 log deny udp any any range 0 65535 log deny ip any any log

ip access-list extended alarm ip access-list extended include-local-lan ip access-list extended split-tunnel permit ip 192.168.166.0 0.0.0.255 any permit ip 192.168.58.0 0.0.0.255 any ip access-list extended tty3 logging trap warnings

access-list 105 remark ### Client VPN Crypto Map permissions #### access-list 105 permit ip host 192.168.166.1 any access-list 105 deny ip any any log

access-list 110 remark crypto map abc access-list 110 permit ip 192.168.166.0 0.0.0.255 192.168.58.0

0.0.0.255 access-list 110 permit ip 10.10.166.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 115 remark VPN Client Rule access-list 115 remark SDM_ACL Category=4 access-list 115 permit ip any any

access-list 120 deny ip host 192.168.166.1 any access-list 120 remark No NAT List access-list 120 remark SDM_ACL Category=18 access-list 120 deny ip 192.168.166.0 0.0.0.255 192.168.58.0

0.0.0.255 access-list 120 deny ip 192.168.166.0 0.0.0.255 10.10.166.0 0.0.0.255 access-list 120 permit ip 192.168.166.0 0.0.0.255 any

access-list 121 remark Static NAT List access-list 121 deny ip 192.168.166.0 0.0.0.255 192.168.58.0

0.0.0.255 access-list 121 deny ip 192.168.166.0 0.0.0.255 10.10.166.0 0.0.0.255 access-list 121 permit ip host 192.168.166.1 any

access-list 199 permit tcp any eq www any access-list 199 permit tcp any any eq www

no cdp run

route-map static-nat permit 4 match ip address 121 ! route-map nonat permit 5 match ip address 120 !

I have been trying various configs, but I do not seem to ba able to get router access from a vpn client. I have found on the web the configuration below, seems that most configs are similar, but this one does not work on my c1760. I will post my current config tomorrw, just lost full config.

Rgds Jeroen

version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption

hostname moepi-border

boot-start-marker boot-end-marker

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

no aaa new-model

resource policy

clock timezone Berlin 1 clock summer-time Berlin date Mar 27 2005 2:00 Oct 31 2005 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip cef

no ip dhcp use vrf connected ip dhcp excluded-address 172.16.0.51 172.16.0.254 ip dhcp excluded-address 172.16.0.1 172.16.0.9 ip dhcp ping timeout 100

ip dhcp pool Moepistation host 172.16.0.1 255.255.255.0 client-identifier 0100.07e9.46b9.e7 dns-server 172.16.0.254 default-router 172.16.0.254 lease infinite

ip dhcp pool Moepinet network 172.16.0.0 255.255.255.0 default-router 172.16.0.254 dns-server 172.16.0.254 lease 2

ip domain name moepinet.local no ip ips deny-action ips-interface ip ddns update method dyndns HTTP add http://XXXXXXXXXXXXX@63.208.196.94/nic/update?system=dyndns&hostname=&myip=interval maximum 0 1 0 0

crypto pki trustpoint TP-self-signed-389617976 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-389617976 revocation-check none rsakeypair TP-self-signed-389617976

crypto pki certificate chain TP-self-signed-389617976 certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username XXXXX password 7 XXXXXXXXXXXXXXXXXX

crypto isakmp policy 10 encr 3des authentication pre-share group 2

crypto isakmp client configuration group moepiremote key XXXXXXXXXXXXXXXXXXX dns 172.16.0.254 pool moepiremotepool include-local-lan netmask 255.255.255.0

crypto ipsec transform-set remoteset esp-3des esp-sha-hmac crypto ipsec df-bit clear

crypto dynamic-map remotedyn 10 set transform-set remoteset

crypto map remoteclient client authentication list ipsec crypto map remoteclient isakmp authorization list ipsec crypto map remoteclient client configuration address respond crypto map remoteclient 10 ipsec-isakmp dynamic remotedyn

interface Loopback0 description Router-ID ip address 192.168.255.128 255.255.255.255

interface Ethernet0 description Verbindung zum DSL Modem bandwidth 10240 no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 fair-queue no cdp enable

interface FastEthernet0 description LAN-Interface bandwidth 102400 ip address 172.16.0.254 255.255.255.0 ip nat inside ip virtual-reassembly speed auto fair-queue no cdp enable

interface Dialer0 description TDSL-Dialer mtu 1492 bandwidth 3072 ip ddns update hostname moepinet.dyndns.org ip ddns update dyndns ip address negotiated previous ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 keepalive 60 1 no fair-queue no cdp enable ppp authentication chap callin ppp chap hostname XXXXXXXXXXXXXX ppp chap password 7 XXXXXXXXXXXXXX ppp ipcp dns request crypto map remoteclient

ip local pool moepiremotepool 172.16.200.1 172.16.200.2 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0

ip dns server

no ip http server no ip http secure-server

ip nat inside source list nat-permission interface Dialer0 overload ip nat inside source static udp 172.16.0.1 4672 interface Dialer0 4672 ip nat inside source static tcp 172.16.0.1 4662 interface Dialer0 4662

ip access-list extended Telnet-Zugang permit tcp 172.16.0.0 0.0.0.255 any eq telnet permit tcp any any eq 22 ip access-list extended nat-permission deny ip 172.16.0.0 0.0.0.255 172.16.200.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 any deny ip 172.16.200.0 0.0.0.255 172.16.0.0 0.0.0.255 permit ip 172.16.200.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run

control-plane

line con 0 password 7 XXXXXXXX logging synchronous login local line aux 0 password 7 XXXXXXXX logging synchronous login local line vty 0 4 access-class Telnet-Zugang in password 7 XXXXXXXX logging synchronous login local transport preferred ssh transport input telnet ssh

ntp clock-period 17179919 ntp peer 192.43.244.18