cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
10
Helpful
4
Replies

vpn connects but doesn't conect

matt_heff
Level 1
Level 1

I have a 1721 connceted to DSL doing NAT overloading okay. I set up a laptop using cisco vpn client to vpn to the 1721 from a remote office, and it connects okay. However, I cannot see the LAN on the other side of the 1721, and my local LAN connection stops working as well. I have the Allow local LAN check box checked in vpn client. I noticed that my vpn client receives an ip address and gateway that are the same. I've posted my config. Please help!

Thanks,

Matt

Current configuration : 3623 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cerberus

!

boot system flash c1700-k9o3sy7-mz.122-11.T10.bin

aaa new-model

!

!

aaa group server radius RADIUS-SERVERS

server 192.168.69.1 auth-port 1645 acct-port 1646

!

aaa authentication login LOGIN group RADIUS-SERVERS local

aaa authorization network NETGROUPAUTH local

aaa session-id common

!

username xxx password xxx

username xxx password xxx

clock timezone CST -6

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

!

!

ip domain name heffnet.net

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip dhcp excluded-address 192.168.69.1 192.168.69.99

ip dhcp excluded-address 192.168.69.111 192.168.69.254

!

ip dhcp pool HEFFNET_LAN_POOL_1

network 192.168.69.0 255.255.255.0

default-router 192.168.69.254

dns-server 68.x.x.1 68.94.157.1

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNGROUP

key 8mathef8

dns 68.x.x.1 68.94.157.1

domain heffnet.net

pool VPN_CLIENT_POOL

!

!

crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set VPNSET1

!

!

crypto map VPNCLIENTMAP client authentication list LOGIN

crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH

crypto map VPNCLIENTMAP client configuration address respond

crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

!

!

!

!

interface Loopback0

ip address 10.1.1.1 255.255.255.255

!

interface ATM0

description Heffnet WAN/SBC DSL Interface

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 69

!

dsl operating-mode auto

no fair-queue

!

interface FastEthernet0

description Heffnet LAN Interface

ip address 192.168.69.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

speed auto

!

interface Dialer69

mtu 1492

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 69

ppp chap hostname cerberus

ppp chap password xxx

ppp pap sent-username xxx@sbcglobal.net password xxx

crypto map VPNCLIENTMAP

!

ip local pool VPN_CLIENT_POOL 192.168.69.200 192.168.69.204

ip nat inside source list INTERNAL interface Dialer69 overload

ip nat inside source static tcp 192.168.69.1 5801 interface Dialer69 5801

ip nat inside source static tcp 192.168.69.1 5901 interface Dialer69 5901

ip nat inside source static tcp 192.168.69.1 3389 interface Dialer69 3389

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer69

no ip http server

!

!

ip access-list extended INTERNAL

permit ip 192.168.69.0 0.0.0.255 any

ip access-list extended inacl

!

logging 192.168.69.1

!

alias exec s show ip interface brief

alias exec sr show running-config

!

line con 0

privilege level 15

logging synchronous

line aux 0

privilege level 15

logging synchronous

line vty 0 4

privilege level 15

logging synchronous

line vty 5 15

privilege level 15

logging synchronous

!

scheduler allocate 4000 1000

end

4 Replies 4

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

Issueing the following commands should resolve the problem.

access-list 101 permit ip 192.168.69.0 0.0.0.255 any

crypto isakmp client configuration group VPNGROUP

acl 101

exit

int loopback 0

ip address 1.1.1.1 255.255.255.252

exit

access-list 102 permit ip 192.168.69.0 0.0.0.255 192.168.69.192 0.0.0.15

route-map policy permit 10

match add 102

set ip next-hop 1.1.1.2

exit

interface FastEthernet0

ip policy route-map policy

exit

Once the commands have been issued, try to connect and notice the difference. :-)

HTH,

Please rate if it helps,

Regards,

Kamal

what i don't quite understand is the purpose of access-list 102 and the next-hop of 1.1.1.2. what is 1.1.1.2?

thanks,

Matt

at
Level 1
Level 1

hi,

try to change the VPN_CLIENT_POOL to another IP-Subnet-Adress range cause 192.168.69.x/24 is configured on the local FastEthernet interface

regards

alex

I fix that little problem with the reverse-route command.

good look

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: