1. Home
  2. Cisco Systems
  3. VPN Issue

VPN Issue

Hi sorry to repost but im still having issues any one able to assist?

Thanks

Tomasz

Hi,

I have setup remote vpn access to use with the cisco remote vpn client software. I can connect and authenticate but thats it once connected i cannot access any resources, cannot ping any clients inside the network. I know its something stupid im missing but my head is sore from banging it against the wall. Please help, config below:

Current configuration : 5988 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname C837CON-SS-S1-1 ! boot-start-marker boot-end-marker ! enable secret 5 XXXXXXXXXXXXXXXXXXXX enable password 7 XXXXXXXXXXXXXXXXXX ! aaa new-model ! ! aaa authorization network remotevpn local aaa session-id common ! resource manager ! ip subnet-zero ! ! no ip dhcp use vrf connected ! ! ip cef no ip domain lookup ip name-server 210.15.254.240 ip name-server 210.15.254.241 no ip ips deny-action ips-interface vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ip mtu adjust ! ! no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local vpnpool ! crypto isakmp client configuration group remotevpn key XXXXXXXXXXXXXXXX pool vpnpool ! ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 1 set transform-set ESP-3DES-MD5 reverse-route ! ! crypto map dymap 1 ipsec-isakmp dynamic dynmap ! crypto map dynmap isakmp authorization list remotevpn crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 ip address 192.168.24.1 255.255.248.0 ip access-group 100 in ip nat inside ip virtual-reassembly no cdp enable hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 244 in ! interface ATM0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer0 ip address negotiated ip access-group 101 in ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 2 no cdp enable ppp authentication chap callin ppp chap hostname XXXXXXXXXXXXXXXXXXXXXX ppp chap password 7 XXXXXXXXXXXXXXXXXXXXXXXXX crypto map dynmap ! ip local pool vpnpool 192.168.254.1 192.168.254.20 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface Dialer0 overload ! access-list 1 permit 192.168.0.0 0.0.255.255 access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 permit tcp any host 192.168.24.1 eq telnet access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq 443 access-list 100 permit tcp any any eq pop3 access-list 100 permit tcp any any eq ftp access-list 100 permit udp any any eq domain access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq telnet access-list 100 permit tcp host 192.168.24.2 any eq 500 access-list 100 permit udp host 192.168.24.2 any eq isakmp access-list 100 permit tcp any any eq 4899 access-list 100 permit tcp host 192.168.24.3 any eq 500 access-list 100 permit udp host 192.168.24.3 any eq isakmp access-list 100 permit udp any any eq 4899 access-list 101 deny tcp any any eq telnet access-list 101 deny tcp any any eq domain access-list 101 deny udp any any eq domain access-list 101 deny tcp any any eq 55 access-list 101 deny udp any any eq 55 access-list 101 deny tcp any any eq 77 access-list 101 deny udp any any eq 77 access-list 101 deny tcp any any eq pim-auto-rp access-list 101 deny udp any any eq pim-auto-rp access-list 101 deny tcp any any eq www access-list 101 deny tcp any any eq ftp-data access-list 101 deny tcp any any eq ftp access-list 101 deny tcp any any eq 22 access-list 101 deny tcp any any eq smtp access-list 101 deny tcp any any eq 59 access-list 101 deny tcp any any eq finger access-list 101 deny tcp any any eq pop3 access-list 101 deny tcp any any eq ident access-list 101 deny udp any any eq netbios-ns access-list 101 deny udp any any eq netbios-ss access-list 101 deny tcp any any eq 139 access-list 101 deny tcp any any eq 443 access-list 101 deny tcp any any eq 1080 access-list 101 deny tcp any any eq 8080 access-list 101 permit ip any any dialer-list 2 protocol ip permit no cdp run ! ! control-plane !

! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 password 7 XXXXXXXXXXXXXXXXXXXXXXX transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end

Reply to
Tomasz
Loading thread data ...

1, Your NAT ACL, you need to change it to an extended and deny the internal to the vpn subnet from being nat'd. no ip nat inside source list 1 interface Dialer0 overload no access-list 1 access-list 111 deny ip 192.168.0.0 0.0.7.255 192.168.254.0 0.0.0.255 access-list 111 permit ip 192.168.0.0 0.0.7.255 any ip nat inside source list 111 interface Dialer0 overload 2, Your ACL on the inside interface...you need to allow the internal to talk to the VPN subnet access-list 100 permit ip 192.168.0.0 0.0.7.255 192.168.254.0 0.0.0.255

-Brian

Reply to
Brian V

Thank you brian will try this today.

Reply to
Tomasz

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.