03-22-2007 07:49 PM - edited 02-21-2020 02:56 PM
I can connect with vpn client to my 1721 at the office, get an IP address, but I do not receive a default gateway and cannot access the office LAN from home. What is wrong with my config?
Thanks!
Current configuration : 3795 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cerberus
!
boot system flash c1700-k9o3sy7-mz.122-11.T10.bin
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server 192.168.69.1 auth-port 1645 acct-port 1646
!
aaa authentication login LOGIN group RADIUS-SERVERS local
aaa authorization network NETGROUPAUTH local
aaa session-id common
!
username x password x
username x password x
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
ip domain name heffnet.net
ip name-server 68.x.x.1
ip name-server 68.x.x.1
ip dhcp excluded-address 192.168.69.1 192.168.69.99
ip dhcp excluded-address 192.168.69.111 192.168.69.254
!
ip dhcp pool HEFFNET_LAN_POOL_1
network 192.168.69.0 255.255.255.0
default-router 192.168.69.254
dns-server 68.94.156.1 68.94.157.1
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key 8mathef8
dns 68.x.x.1 68.94.157.1
domain heffnet.net
pool VPN_CLIENT_POOL
acl 102
!
!
crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set VPNSET1
!
!
crypto map VPNCLIENTMAP client authentication list LOGIN
crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH
crypto map VPNCLIENTMAP client configuration address respond
crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
interface Loopback0
ip address 1.1.x.x.255.255.252
!
interface ATM0
description Heffnet WAN/SBC DSL Interface
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 69
!
dsl operating-mode auto
no fair-queue
!
interface FastEthernet0
description Heffnet LAN Interface
ip address 192.168.69.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
ip policy route-map VPN_MAP
speed auto
!
interface Dialer69
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 69
ppp chap hostname cerberus
ppp chap password xxx
ppp pap sent-username xxx@sbcglobal.net password xxx
crypto map VPNCLIENTMAP
!
ip local pool VPN_CLIENT_POOL 192.168.70.200 192.168.70.204
ip nat inside source list INTERNAL interface Dialer69 overload
ip nat inside source static tcp 192.168.69.1 3389 interface Dialer69 3389
ip nat inside source static tcp 192.168.69.1 5901 interface Dialer69 5901
ip nat inside source static tcp 192.168.69.1 5801 interface Dialer69 5801
ip nat inside source static tcp 192.168.69.1 20 interface Dialer69 20
ip nat inside source static tcp 192.168.69.1 21 interface Dialer69 21
ip nat inside source static tcp 192.168.69.1 22000 interface Dialer69 22000
ip nat inside source static udp 192.168.69.1 22000 interface Dialer69 22000
ip nat inside source static udp 192.168.69.1 21 interface Dialer69 21
ip nat inside source static udp 192.168.69.1 20 interface Dialer69 20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer69
ip route 0.0.0.0 0.0.0.0 Loopback0
no ip http server
!
!
ip access-list extended INTERNAL
permit ip 192.168.69.0 0.0.0.255 any
!
logging 192.168.69.1
access-list 102 permit ip 192.168.70.0 0.0.0.255 any
!
route-map VPN_MAP permit 10
match ip address 101
set ip next-hop 1.1.1.2
!
alias exec s show ip interface brief
alias exec sr show running-config
!
line con 0
privilege level 15
logging synchronous
line aux 0
privilege level 15
line vty 0 4
privilege level 15
line vty 5 15
privilege level 15
!
scheduler allocate 4000 1000
end
03-22-2007 08:09 PM
almost forgot...
i have this in my config as well -
access-list 102 permit ip 192.168.69.0 0.0.0.255 192.168.69.192 0.0.0.15
03-23-2007 07:20 AM
Hi Matt,
Please configure the following commands and let me know how it goes.
access-list 105 permit ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255
route-map policy permit 10
match add 105
set ip next-hop 1.1.1.2
exit
interface FastEthernet0
ip policy route-map policy
exit
HTH,
Please rate if it helps,
Regards,
Kamal
03-23-2007 04:32 AM
Hello,
Seems like your NAT is not configured properly.
Add this statement in your config.
ip access-list extended INTERNAL
10 deny ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255
Let me know how it works out.
Thanks
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: