05-16-2007 08:43 AM - edited 02-21-2020 03:03 PM
Hi,
I've implemented "the Router and VPN Client for Public Internet on a Stick Configuration Example" (http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml). I've added these lines to my 878 router config. I connect from a remote site with Cisco VPN client. From the VPN client, the situation is :
- Full access to hosts on Internet = OK
- Can PING hosts at the router site (192.168.2.0)
- Have no access to hosts at the router site (192.168.2.0) = NOK
I've added these lines to my 877 configuration. At this time, firewall not activated.
aaa new-model
!
aaa authentication login userauthen local
!
aaa authorization network groupauthor local
!
aaa session-id common
username ... password 0 ...
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ?
key ?
dns 192.168.2.110
pool ippool
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer1
ip nat outside
ip policy route-map VPN-Client
crypto map clientmap
ip local pool ippool 192.168.4.1 192.168.4.20
ip nat inside source list 102 interface Dialer1 overload
access-list 102 permit ip any any
access-list 144 permit ip 192.168.4.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set interface Loopback0
Any idea to solve the 3rd point? All the VPN traffic is set to the loopback interface. Do I have to modify the route-map to set only the external traffic on this interface ?
Kind regards,
Guy
05-22-2007 06:08 AM
Probably, check the network list in the vpn server whether it is properly configured in such a way that the network 192.168.2.0 is allowed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide