I'm trying to establish an IPSec VPN connection between a remote PC and a 1720 router using the Cisco VPN client 4.0.3. The initialization and authentication seam to be OK but I can't connect to anything once the session is setup. I must have read through 100+ post with similar problems and scoured cisco.com but after 13 hours of trying every combination of route-maps, ACLs, etc I can find I've still come up short.
Since the session setup is working, I'm thinking it's an ACL and/or NAT issue. I opened up UDP port 500 (ISAKMP) and ESP. The remote PC is connecting to Ethernet0.
PC ---- INT EO (1720) INT F0 --- Internal network
! ! Last configuration change at 21:41:08 EST Sun Mar 13 2005 ! NVRAM config last updated at 21:11:44 EST Sun Mar 13 2005 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1720Router ! no logging console aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common enable secret 5 xxxxxxxxxxxxxxxxxxxxx ! username vpntestuser password 7 xxxxxxxxxx clock timezone EST -5 clock summer-time EDT recurring ip subnet-zero ! ! no ip domain lookup ip domain name mydomain.local ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 crypto isakmp keepalive 40 5 ! crypto isakmp client configuration group vpngroup key abcd1234 dns 24.25.4.107 24.25.4.108 domain mydomain.local pool ippool ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description WAN_10MBPS ip address dhcp ip access-group filterin in ip access-group filterout out no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map clientmap ! interface Ethernet1 no ip address shutdown half-duplex ! interface FastEthernet0 description LAN_100MBPS ip address 10.0.1.3 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache speed auto full-duplex ! ip local pool ippool 10.0.2.1 10.0.2.200 ip nat inside source static tcp 10.0.1.11 80 interface Ethernet0 80 ip nat inside source route-map nonat interface Ethernet0 overload ip classless
! ! ip access-list extended filterin permit udp any eq bootps any eq bootpc log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 224.0.0.0 15.255.255.255 any log-input permit icmp any any packet-too-big permit icmp any any echo-reply evaluate packets permit tcp any gt 1023 any eq www permit udp any any eq isakmp permit esp any any deny ip any any log-input ip access-list extended filterout permit ip any any reflect packets ip access-list extended service ! logging 10.0.1.11 access-list 11 permit 10.0.1.0 0.0.0.255 access-list 11 permit 10.0.2.0 0.0.0.255 access-list 105 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 105 permit ip 10.0.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 105 !
! line con 0 line aux 0 line vty 0 4 access-class 11 in password 7 xxxxxxxxxxxxx transport input telnet !
end
Any help would be appreciated.
Brian