04-15-2007 06:17 PM - edited 02-21-2020 02:58 PM
Hi all,
I am very new in Cisco and hope you could give some advice. Our office uses Cisco 877W via ADSL2+ connection. Wireless, DHCP, firewall are working ok. We have a Windows 2003 Server as a file server. The boss wants to VPN from home to access the files. I have used SDM to try setup VPN then used VPN Client to test from home but it didn't work. My questions are:
1. I believe the 877w router supports Easy VPN server. Do I need to set the Windows 2003 Server as a VPN server?
2. Is there a step-by-step official instruction to do this? I read the manual but I don't know how to customised those instructions for our case.
3. There is a D-link at the other side (i.e. at home). Do I need to set up port-forwarding or anything like that?
Thank you,
Triet
04-15-2007 06:22 PM
04-16-2007 01:14 PM
Greetings Triet,
First of all, you need to have a Static IP on your ADSL connection to create a VPN.
Second, it would be a good idea to configure VPN on Cisco router rather than on Windows Server because you need to know a hell lot of details about port forwarding which is as tricky as configuring VPN on router.
Third, look at the below link for instructions on how to configure Cisco Router as VPN server:
D-Link at your boss's home should work fine, let me know.
Also, dont forget to rate this post if you find it helpful....
Cheers,
Haroon
04-17-2007 03:43 PM
Thank you Haroon,
I have follow the instructions, the connection seems working fine. I can get an IP address from VPN server, I can ping the router IP addresses (both internal and external-WAN address). Other than that, I can't do anything else. Please find the statistic windows attached.
I tried the following:
- ping to a server in the office - FAIL
- ping www.cisco.com - FAIL
- ping to an external DNS - FAIL
- ipconfig /all shows that DHCP is disabled in the Cisco VPN Adapter
- the number of encrypted packets is much higher compared to the decrypted. When I continuously ping the router IP, the number of decrypted gets higher.
Could you please give some advice?
Thank you,
Triet
04-17-2007 03:47 PM
Can you post the config?
Also, please copy the config from the console window and post it. Because the config copied from the router's memory is not readable properly.
04-17-2007 04:08 PM
04-17-2007 04:18 PM
Enter the following commands and check it out:
config terminal
no access-list 100
access-list 100 remark Access list for NAT Traffic
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip any any
no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
This should prevent traffic between VPN clients and internal LAN from NATing.
Also, make sure the default gateway of internal LAN systems is set to 10.1.1.254 (internal ip of router)
* Rate this post if it helps
04-17-2007 04:54 PM
Thank you, Haroon.
I have made the changes but I have to go home to test it out. By the way, can I stay inside the LAN and VPN back into itself? If it is possible, I can test it out now. I use Cisco VPN Client to connect, it says "Contacting the security gateway at xx.xx.xx.xx...." then disconnects. While at home, it is ok.
You are right about the default gateway, when I did ipconfig, the default gateway and the IP address (assigned by VPN server) were the same. I don't know where I can change it. Also if the PC address is in 10.1.2.x subnet, will it accepts the default gateway of 10.1.1.254?
Thank you.
Triet
04-17-2007 05:00 PM
I think you might have to go home and check it out.
But you dont have to change anything on VPN client. You have to change the default ip address of the clients behind the router (at office) to 10.1.1.254 (I believe they are wireless users).
Regarding VPN clients, your ip address and default gateway will be the same after you connect to VPN server. That is correct.
04-17-2007 05:09 PM
I will let you know as soon as I try it.
Yes, I have checked default gateway in the clients at the office, they are all 10.1.1.254.
Thanks again,
Triet
04-18-2007 03:20 PM
Hi Haroon,
The problem is still there. I can connect to the VPN Server (i.e. router) but I can not do anything else, neither surf the net nor connect to the file server. What do you think I should try please? Thank you.
Triet
04-18-2007 03:24 PM
Can you post the full config again?
04-18-2007 03:30 PM
04-18-2007 03:47 PM
Hey,
I have attached the configuration file.
Black Text - Dont change
Red Text - Remove the config lines
Blue Text - Remove them temporarily
And try the vpn configuration again using SDM
Make sure you configure with below settings:
VPN pool: 10.1.2.1 - 10.1.2.254
Local LAN: 10.1.1.0/24
You might also need to set your nat statements as:
ip nat inside source list 100 interface Dialer0 overload
access-list 100 remark Access list for NAT Traffic
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip any any
* Please rate this post if its helpful
04-18-2007 03:48 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: