04-26-2007 06:49 PM
I have a Cisco 871 router which is connected to the internet. I would like to allow a few remote users to VPN into the office using the Cisco VPN Client. Currently, I can get the VPN Client to authenticate and connect. However, whenever I try pinging something inside the private network I get a reply from the external IP of the router instead. Here is the config as it stands right now. If anyone can point out what I am doing wrong I would really appreciate it. Thanks!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr-test
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauth local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.201 192.168.0.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.25
default-router 192.168.0.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name bfloan.com
ip name-server 192.168.0.25
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3716545297
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3716545297
revocation-check none
rsakeypair TP-self-signed-3716545297
!
!
username xxxxxxxx privilege 15 password xxxxxxxxxxx
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngate
key xxxxxxx
dns 192.168.0.25
wins 192.168.0.25
pool ippool
acl 105
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 66.x.x.33 255.255.255.x
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface Dot11Radio0
no ip address
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool ippool 192.168.100.1 192.168.100.25
ip classless
ip route 0.0.0.0 0.0.0.0 66.4.164.38
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
!
logging trap debugging
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
Solved! Go to Solution.
04-27-2007 03:01 AM
Your configuration is right, however you need to do the following:
no access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Plz rate if this helps
04-27-2007 02:47 AM
BTW ... I think the problem is with NAT ... Everything works fine if I disable NAT on the inside and outside interfaces. However, when NAT is enabled I cannot route into the private LAN when connected via VPN.
04-27-2007 03:01 AM
Your configuration is right, however you need to do the following:
no access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Plz rate if this helps
04-27-2007 12:34 PM
Perfect! That did it. Thanks for pointing that out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide