1. Home
  2. Cisco Systems
  3. CISCO VPN WON'T PASS TRAFFIC

CISCO VPN WON'T PASS TRAFFIC

Hi,

I am trying to setup a cisco 2651 router to allow remote users to connect via cisco VPN client 4.0.1 and be able to access resources on the internal network.

I am using IOS 12.3(8)T

The basic setup is:

VPN CLIENT (behind NAT) ----- Internet ------ DSL modem ---- 2651 Router ---- local users

The 2651 dials the PPPoE to obtain my connection to the ISP (I do not have a static IP).

The VPN clients receive 192.168.2.X addresses and local users receive

192.168.15.X addresses.

I have no problem getting the vpn clients to authenticate but after this i cannot pass any traffic on the local network or on the internet.

I have tried so many combinations of ACLs (I removed most of them now to make things cleaner to read) and i'm not sure if NAT is also causing any problems.

my config is below, thanks in advance! n2c

Router>enable Router#show run Building configuration...

Current configuration : 3471 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! username XXXXX password 0 XXXXXX no network-clock-participate slot 1 no network-clock-participate wic 0 aaa new-model ! ! aaa authentication login userlist local aaa authorization network grouplist local aaa session-id common ip subnet-zero ! ! ! ! ! ip cef no ip domain lookup ip ips po max-events 100 vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group XXXXXX key XXXXXX pool vpnpoolTEST ! ! crypto ipsec transform-set TRANS esp-aes esp-md5-hmac ! crypto dynamic-map MAP1 1 set transform-set TRANS ! ! ! crypto map MAP1 client authentication list userlist crypto map MAP1 isakmp authorization list grouplist crypto map MAP1 client configuration address respond crypto map MAP1 1 ipsec-isakmp dynamic MAP1 ! ! ! ! interface FastEthernet0/0 no ip address shutdown speed auto full-duplex ! interface FastEthernet0/1 no ip address shutdown speed auto full-duplex ! interface Ethernet1/0 no ip address ip tcp adjust-mss 1452 full-duplex pppoe enable pppoe-client dial-pool-number 1 ! interface Ethernet1/1 no ip address shutdown ! interface Ethernet1/2 no ip address shutdown ! interface Ethernet1/3 ip address 192.168.15.21 255.255.255.0 ip nat inside ip virtual-reassembly full-duplex ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap pap callin ppp chap hostname xxxxxxxx ppp chap password 0 xxxxxxx ppp pap sent-username xxxxxxx password 0 xxxxxx crypto map MAP1 ! ! ip local pool vpnpoolTEST 192.168.2.50 192.168.2.65 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 192.168.1.0 255.255.255.0 Ethernet1/1 ! ip http server no ip http secure-server ip nat inside source list 1 interface Dialer1 overload ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.15.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end

Reply to
new2cisco
Loading thread data ...

here are the changes:

access-list 101 deny ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit ip 192.168.15.0 0.0.0.255 any ip nat inside source list 101 interface Dialer1 overload

access-list 102 deny ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto isakmp client configuration group XXXXXX acl 102

crypto ipsec nat-transparency udp-encapsulation

Reply to
rave

thank you for your reply.... I will try this tomorrow for sure!

Reply to
new2cisco

Ok, i tried the changes suggested (thanks again, btw)... i then tried to change the ACLs (which may be messing things up)

So far, i've noticed the following:

When my remote client connects to the VPN, he gets the 192.168.2.X address. He can now ping the local user (192.168.15.X) and he can ping a destination on the internet (although I think the ping is not going through the VPN tunnel).

The main issue however is that although the VPN client can now ping local users on my LAN, he cannot pass any other traffic (for example, telnet or accessing shared folders)... Also, he can ping local users, for example 192.168.15.205, but cannot ping the interface on the router, 192.168.15.21 - is this normal?

I'd appreciate any help! thanks!

Router#show run Building configuration...

Current configuration : 3778 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! username XXXXXX password 0 XXXXXX no network-clock-participate slot 1 no network-clock-participate wic 0 aaa new-model ! ! aaa authentication login userlist local aaa authorization network grouplist local aaa session-id common ip subnet-zero ! ! ip dhcp excluded-address 192.168.15.1 192.168.15.200 ! ! ip dhcp pool poolTEST network 192.168.15.0 255.255.255.0 default-router 192.168.15.21 ! ! ! ip cef no ip domain lookup ip ips po max-events 100 vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group XXXXXX key XXXXXX pool vpnpoolTEST acl 102 ! ! crypto ipsec transform-set TRANS esp-aes esp-md5-hmac ! crypto dynamic-map MAP1 1 set transform-set TRANS ! ! ! crypto map MAP1 client authentication list userlist crypto map MAP1 isakmp authorization list grouplist crypto map MAP1 client configuration address respond crypto map MAP1 1 ipsec-isakmp dynamic MAP1 ! ! ! ! interface FastEthernet0/0 no ip address shutdown speed auto full-duplex ! interface FastEthernet0/1 no ip address shutdown speed auto full-duplex ! interface Ethernet1/0 no ip address ip tcp adjust-mss 1452 full-duplex pppoe enable pppoe-client dial-pool-number 1 ! interface Ethernet1/1 no ip address shutdown ! interface Ethernet1/2 no ip address shutdown ! interface Ethernet1/3 ip address 192.168.15.21 255.255.255.0 ip nat inside ip virtual-reassembly full-duplex

! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp authentication chap pap callin ppp chap hostname XXXXXXX ppp chap password 0 XXXXXX ppp pap sent-username XXXXX password 0 XXXXX crypto map MAP1 ! ! ip local pool vpnpool 192.168.1.80 192.168.1.95 ip local pool vpnpoolTEST 192.168.2.50 192.168.2.65 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 192.168.1.0 255.255.255.0 Ethernet1/1 ! ip http server no ip http secure-server ip nat inside source list 101 interface Dialer1 overload ! ! access-list 1 permit 192.168.2.0 access-list 1 permit 192.168.15.0 access-list 101 permit ip 192.168.15.0 0.0.0.255 any access-list 102 deny ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end

Reply to
new2cisco

Hi,

add the command "reverse-route" under "crypto dynamic-map MAP1 1"

Ravikumar

new2cisco wrote:

Reply to
Ravikumar Eswaran

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.