03-18-2007 01:47 PM - edited 02-21-2020 02:55 PM
I have a 1721 connceted to DSL doing NAT overloading okay. I set up a laptop using cisco vpn client to vpn to the 1721 from a remote office, and it connects okay. However, I cannot see the LAN on the other side of the 1721, and my local LAN connection stops working as well. I have the Allow local LAN check box checked in vpn client. I noticed that my vpn client receives an ip address and gateway that are the same. I've posted my config. Please help!
Thanks,
Matt
Current configuration : 3623 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cerberus
!
boot system flash c1700-k9o3sy7-mz.122-11.T10.bin
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server 192.168.69.1 auth-port 1645 acct-port 1646
!
aaa authentication login LOGIN group RADIUS-SERVERS local
aaa authorization network NETGROUPAUTH local
aaa session-id common
!
username xxx password xxx
username xxx password xxx
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
ip domain name heffnet.net
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip dhcp excluded-address 192.168.69.1 192.168.69.99
ip dhcp excluded-address 192.168.69.111 192.168.69.254
!
ip dhcp pool HEFFNET_LAN_POOL_1
network 192.168.69.0 255.255.255.0
default-router 192.168.69.254
dns-server 68.x.x.1 68.94.157.1
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key 8mathef8
dns 68.x.x.1 68.94.157.1
domain heffnet.net
pool VPN_CLIENT_POOL
!
!
crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set VPNSET1
!
!
crypto map VPNCLIENTMAP client authentication list LOGIN
crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH
crypto map VPNCLIENTMAP client configuration address respond
crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface ATM0
description Heffnet WAN/SBC DSL Interface
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 69
!
dsl operating-mode auto
no fair-queue
!
interface FastEthernet0
description Heffnet LAN Interface
ip address 192.168.69.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
speed auto
!
interface Dialer69
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 69
ppp chap hostname cerberus
ppp chap password xxx
ppp pap sent-username xxx@sbcglobal.net password xxx
crypto map VPNCLIENTMAP
!
ip local pool VPN_CLIENT_POOL 192.168.69.200 192.168.69.204
ip nat inside source list INTERNAL interface Dialer69 overload
ip nat inside source static tcp 192.168.69.1 5801 interface Dialer69 5801
ip nat inside source static tcp 192.168.69.1 5901 interface Dialer69 5901
ip nat inside source static tcp 192.168.69.1 3389 interface Dialer69 3389
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer69
no ip http server
!
!
ip access-list extended INTERNAL
permit ip 192.168.69.0 0.0.0.255 any
ip access-list extended inacl
!
logging 192.168.69.1
!
alias exec s show ip interface brief
alias exec sr show running-config
!
line con 0
privilege level 15
logging synchronous
line aux 0
privilege level 15
logging synchronous
line vty 0 4
privilege level 15
logging synchronous
line vty 5 15
privilege level 15
logging synchronous
!
scheduler allocate 4000 1000
end
03-19-2007 12:38 AM
Hi,
Issueing the following commands should resolve the problem.
access-list 101 permit ip 192.168.69.0 0.0.0.255 any
crypto isakmp client configuration group VPNGROUP
acl 101
exit
int loopback 0
ip address 1.1.1.1 255.255.255.252
exit
access-list 102 permit ip 192.168.69.0 0.0.0.255 192.168.69.192 0.0.0.15
route-map policy permit 10
match add 102
set ip next-hop 1.1.1.2
exit
interface FastEthernet0
ip policy route-map policy
exit
Once the commands have been issued, try to connect and notice the difference. :-)
HTH,
Please rate if it helps,
Regards,
Kamal
03-19-2007 07:49 PM
what i don't quite understand is the purpose of access-list 102 and the next-hop of 1.1.1.2. what is 1.1.1.2?
thanks,
Matt
03-19-2007 04:27 PM
hi,
try to change the VPN_CLIENT_POOL to another IP-Subnet-Adress range cause 192.168.69.x/24 is configured on the local FastEthernet interface
regards
alex
04-04-2007 03:28 PM
I fix that little problem with the reverse-route command.
good look
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: