Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
893
Views
5
Helpful
8
Replies

[Config] 877 VPN - Please Help

Go to solution
imranmohammed
Level 1
Level 1

‎03-29-2007 03:46 AM - edited ‎02-21-2020 02:57 PM

Hello,

I wonder if someone could help me as I'm pretty stuck

I am trying to establish the following VPN setup?

Mobile Remote User > Internet > Cisco VPN > Server (some service)

Using SDM I selected the "Easy VPN Server" deployment.

I am able to connect remotely via the Cisco Client Dialler, connection is made fine and I am able to ping 192.168.1.1 where the standard ping results are returned.

I have a server running IIS on 192.168.1.20 however I cannot ping that server? I am going to install some software on that particular server which users can remotely synchronise to and I'm unsure as what to do.

Configuration attached

Thanks in advance

Labels:
Preview file
12 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎03-29-2007 06:09 AM

Hello,

Somethings to check on.

a. What is the default gateway on the server?

b. Does the server have more than one NIC?

c. If it does, can you shut down the second NIC and see if it works.

d. You can run debug on the router to see if we even get the packet back and respond to the client.

These are some troubleshooting steps.

Thanks

Gilbert

View solution in original post

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to imranmohammed

‎03-30-2007 06:15 AM

Good to know that it works.

Answering your questions:

1. To access the internet when you have VPN client connected, you need to enable something called as Split tunneling.

a. create an ACL

eg: access-list 180 per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

b. Apply this ACL to your group settings:

eg:

crypto isakmp client configuration group ppg

acl 180

This will allow you to access the internet and your internal network at the same time.

2. IF you do not have a wins server configured in your group settings to be pushed to the VPN clients then you would not be able to access your network by name.

If you want to know what a WINS server is, see the link below.

http://kb.iu.edu/data/adeo.html

If you already have a wins server in your Internal network, then you just need to add the IP address of the WINS to the group information.

Lets say your WINS server IP is:

192.168.1.99

Then you would add the WINS information to the group like this.

crypto isakmp client configuration group ppg

wins 192.168.1.99

Rate this post, if it helps!

Thanks

Gilbert

View solution in original post

0 Helpful
8 Replies 8

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎03-29-2007 06:09 AM

Hello,

Somethings to check on.

a. What is the default gateway on the server?

b. Does the server have more than one NIC?

c. If it does, can you shut down the second NIC and see if it works.

d. You can run debug on the router to see if we even get the packet back and respond to the client.

These are some troubleshooting steps.

Thanks

Gilbert

0 Helpful

Go to solution
imranmohammed
Level 1
Level 1
In response to ggilbert

‎03-29-2007 06:50 AM

Hello Gilbert,

>a. What is the default gateway on the server?

192.168.1.1

>b. Does the server have more than one NIC?

Just one NIC

>d. You can run debug on the router to see if we even get the packet back and respond to the client.

How do I go about doing this?

Someone has mentioned that the IP allocation to vpn clients is the from the same pool as the local lan and that instead of 192.168.1.1 it should be 192.168.2.1??

Thanks

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to imranmohammed

‎03-29-2007 09:44 AM

It is suggested to be a different pool than the local subnet.

Try to change the pool for the vpn client pools and see if it works.

Post the config after that.

Thanks

gilbert

0 Helpful

Go to solution
imranmohammed
Level 1
Level 1
In response to ggilbert

‎03-30-2007 02:34 AM

Hi,

Thanks for your help so far.

You were right; I had to allocate a different IP Pool to VPN clients, so I went for

192.168.2.1 to 192.168.2.10

VPN Works fine, can ping internal IP's - 192.168.1.20 etc

Questions:-

1) How can I access (as a remote user) the Internet and use the VPN at the same time? I am using the Cisco Clinet Dialler and everytime I connect to the VPN it won't allow me to browse the Internet.

2) I can browse computers by IP in windows i.e. \\192.168.1.20\ and not by name as that uses "broadcast" or something?

Updated config attached*

*(may look different as I had to power down the router, previous config was wiped!)

Preview file
12 KB
0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to imranmohammed

‎03-30-2007 06:15 AM

Good to know that it works.

Answering your questions:

1. To access the internet when you have VPN client connected, you need to enable something called as Split tunneling.

a. create an ACL

eg: access-list 180 per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

b. Apply this ACL to your group settings:

eg:

crypto isakmp client configuration group ppg

acl 180

This will allow you to access the internet and your internal network at the same time.

2. IF you do not have a wins server configured in your group settings to be pushed to the VPN clients then you would not be able to access your network by name.

If you want to know what a WINS server is, see the link below.

http://kb.iu.edu/data/adeo.html

If you already have a wins server in your Internal network, then you just need to add the IP address of the WINS to the group information.

Lets say your WINS server IP is:

192.168.1.99

Then you would add the WINS information to the group like this.

crypto isakmp client configuration group ppg

wins 192.168.1.99

Rate this post, if it helps!

Thanks

Gilbert

0 Helpful

Go to solution
imranmohammed
Level 1
Level 1
In response to ggilbert

‎04-04-2007 02:53 AM

Hi Gilbert,

Thanks for your help so far

1) With regards to split-tunnelling?

Do I need to enable anything in SDM or the Cisco Dialler?

I assume access-list 180 per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 refers to 192.168.1.0 as the VPN side IP not the local internet settings IP as they might have 10.10.10.1 or something else?

2) WINS server?

Does netbios have to be enabled over VPN?

Thanks!

Imran

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to imranmohammed

‎04-09-2007 10:56 AM

Imran,

Question 1:

You need to make sure that you are passing down an ACL for the split-tunneling to the clients.

This ACL should be under the group configuration settings on the router where you have the key, group-name etc...

LEts say, if your internal network on the router is 10.10.10.x and the vpn client pools are getting an IP address 192.168.2.0.

Then the ACL should be

eg:access-list 177 per ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255

That will send the split tunneling acl to the clients.

Question 2:

What do you mean by "does netbios have to be enabled over VPN?"

You just configure the wins server information on the head end side and it will be passed down to the clients. There is nothing to configure on the clients itself.

access-list 177

0 Helpful

Go to solution
imranmohammed
Level 1
Level 1
In response to ggilbert

‎04-10-2007 05:25 AM

Hi Gilbert,

Thank you for your help so far without it I would have been stuck at square one.

To get familiar with VPN I attempted a second setup same as above but with a Cisco 837,

I can ping 192.168.1.10 fine however cannot access it for file-sharing whereas the setup as discussed previous works fine.

Your help would be much appreciated.

Thanks

Preview file
7 KB
Customers Also Viewed These Support Documents