Issue creating VPN

Answered Question
Feb 22nd, 2007

MY issue is that when the vpn is configured, and i try running a tracert to one of my remote pcs on the other side of the VPN, the VPN router is sending the the information to the internet and not attempting to open the tunnel. what am i doing wrong???

i'm using a cisco 1700 router and connecting to a cisco 3030 vpn concentrator

Current configuration : 1522 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

ip cef

ip audit po max-events 100

!

!

crypto isakmp policy 9

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key (Shared Key) address (IP ADDRESS of peer)

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set TS1 esp-3des esp-md5-hmac

!

crypto map crypmap 1 ipsec-isakmp

set peer (IP ADDRESS of peer)

set transform-set TS1

match address 101

!

!

!

interface Ethernet0

ip address (IP ADDRESS)

ip nat outside

half-duplex

crypto map crypmap

!

interface FastEthernet0

ip address (IP ADDRESS)

ip nat inside

speed auto

!

ip nat inside source list 1 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 (Default router)

no ip http server

no ip http secure-server

!

!

access-list 1 permit any

access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 1)

access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 2)

access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 3)

access-list 101 permit ip host (HOST on Local using NAT) host (Remote host 4)

!

!

line con 0

line aux 0

line vty 0 4

password 7 PASSWORD

login

!

end

I have this problem too.
0 votes
Correct Answer by spremkumar about 9 years 7 months ago

Hi Jim

You need to modify the access-list statement also the nat overload statement..

you need to deny the traffic between the 2 vpn networks getting natted..

you can verify the below link configuring up the same..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

regds

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jimwysocki Fri, 02/23/2007 - 06:20

I'v added the route map and configured to like the sample in the link provided(at lest to the best of my knowledge)and the router is still routing the information to the internet and not attempting to open the tunnel(pardon me if it is a obvious answer im quite a novice at routers)

Current configuration : 1563 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret ****

enable password ***

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

ip cef

ip audit po max-events 100

!

!

!

!

!

crypto isakmp policy 9

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key (KEY) address (PEER IP)

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set TS1 esp-3des esp-md5-hmac

!

crypto map map 1 ipsec-isakmp

set peer 209.*.*.230

set transform-set TS1

match address 101

!

!

!

interface Ethernet0

ip address (IP) 255.255.255.240

ip nat outside

half-duplex

crypto map map

!

interface FastEthernet0

ip address 192.168.230.52 255.255.255.0

ip nat inside

speed auto

!

ip nat inside source route-map nat interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 (GATEWAY)

no ip http server

no ip http secure-server

!

!

a

access-list 101 permit ip host 192.168.230.21 host (remote ip 1)

access-list 101 permit ip host 192.168.230.21 host (remote ip 2)

access-list 101 permit ip host 192.168.230.21 host (remote ip 3)

access-list 101 permit ip host 192.168.230.21 host (remote ip 4)

access-list 111 permit ip any host (remote ip 1)

access-list 111 permit ip any host (remote ip 2)

access-list 111 permit ip any host (remote ip 3)

access-list 111 permit ip any host (remote ip 4)

!

route-map nat permit 10

match ip address 111

!

!

line con 0

line aux 0

line vty 0 4

password ***

login

!

end

Actions

This Discussion