Easy VPN Server setup

Answered Question
Apr 26th, 2007

I have a Cisco 871 router which is connected to the internet. I would like to allow a few remote users to VPN into the office using the Cisco VPN Client. Currently, I can get the VPN Client to authenticate and connect. However, whenever I try pinging something inside the private network I get a reply from the external IP of the router instead. Here is the config as it stands right now. If anyone can point out what I am doing wrong I would really appreciate it. Thanks!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr-test

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxx

!

aaa new-model

!

!

aaa authentication login userauth local

aaa authorization network groupauth local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.99

ip dhcp excluded-address 192.168.0.201 192.168.0.254

!

ip dhcp pool sdm-pool1

import all

network 192.168.0.0 255.255.255.0

dns-server 192.168.0.25

default-router 192.168.0.1

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name bfloan.com

ip name-server 192.168.0.25

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-3716545297

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3716545297

revocation-check none

rsakeypair TP-self-signed-3716545297

!

!

username xxxxxxxx privilege 15 password xxxxxxxxxxx

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngate

key xxxxxxx

dns 192.168.0.25

wins 192.168.0.25

pool ippool

acl 105

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauth

crypto map clientmap isakmp authorization list groupauth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

bridge irb

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 66.x.x.33 255.255.255.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map clientmap

!

interface Dot11Radio0

no ip address

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip local pool ippool 192.168.100.1 192.168.100.25

ip classless

ip route 0.0.0.0 0.0.0.0 66.4.164.38

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 100 interface FastEthernet4 overload

!

logging trap debugging

access-list 100 remark SDM_ACL Category=2

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

transport input telnet ssh

I have this problem too.
0 votes
Correct Answer by oabduo983 about 9 years 7 months ago

Your configuration is right, however you need to do the following:

no access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Plz rate if this helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
HiSparx Fri, 04/27/2007 - 02:47

BTW ... I think the problem is with NAT ... Everything works fine if I disable NAT on the inside and outside interfaces. However, when NAT is enabled I cannot route into the private LAN when connected via VPN.

Correct Answer
oabduo983 Fri, 04/27/2007 - 03:01

Your configuration is right, however you need to do the following:

no access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Plz rate if this helps

HiSparx Fri, 04/27/2007 - 12:34

Perfect! That did it. Thanks for pointing that out.

Actions

This Discussion