My VPN doesn't work.!!!

Unanswered Question
Jan 29th, 2008

Hi All,

I configured a sample VPN in a 2611 Router to connect via Cisco VPN Client Sfw from a Remote PC on internet.

When the tunnel is estabilished, all networks stop to work in my PC.

I can't access the LAN inside.

Could anybody help me to solve this problem ?

Follow my config :

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

!

hostname mtech_lab_rt1

!

boot-start-marker

boot-end-marker

!

enable password xxx

!

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

!

aaa authentication login LOCALUSERS local

aaa session-id common

ip subnet-zero

!

!

ip domain name xxx.com

!

ip cef

ip audit po max-events 100

!

!

!

!

!

!

!

!

!

!

!

!

username dticsco password 0 xxx

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group HOME

key xxx

dns 192.168.0.4

domain xxx.com

pool CLIENT_ADDRESSES

!

!

crypto ipsec transform-set MTECHVPN_SET esp-3des esp-sha-hmac

!

crypto dynamic-map CLIENT_MAP 1

set transform-set MTECHVPN_SET

reverse-route

!

!

crypto map MTECHVPN_VPN client authentication list LOCALUSERS

crypto map MTECHVPN_VPN isakmp authorization list LOCALUSERS

crypto map MTECHVPN_VPN client configuration address respond

crypto map MTECHVPN_VPN 100 ipsec-isakmp dynamic CLIENT_MAP

!

!

!

!

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map MTECHVPN_VPN

!

ip local pool CLIENT_ADDRESSES 192.168.2.1 192.168.2.10

ip nat inside source list NATLIST interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.6 25 41.x.x.15 25 extendable

ip nat inside source static tcp 192.168.0.6 110 41.X.X.15 110 extendable

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

ip route 192.168.0.0 255.255.255.0 FastEthernet0/0

!

!

!

ip access-list standard NATLIST

permit 192.168.0.0 0.0.0.255

!

!

!

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

location work

exec-timeout 30 30

password cisco

line aux 0

password cisco

line vty 0 4

login authentication LOCALUSERS

transport input ssh

!

!

end

Thanks

AB

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Antonio Brandao Wed, 01/30/2008 - 00:03

Hi Arul,

I did not understand how i will apply this this information in my scenary.

Do you have sure that is same scenary ?

Please notice that in my topology, i have a router that receives a VPN from remote teleworks, in diferents subnets, and is not a scenary point to point how explain the example that you sent.

AB

dominic.caron Thu, 01/31/2008 - 06:27

What Arul said is not bad. Even if it's not the main cause of your problem, your DNS will not be reachable from the tunnel.

Every answer to your client from your DNS will be NATed. Your client will not accept it.

Antonio Brandao Thu, 01/31/2008 - 06:42

Hi Dominic,

Sorry, but i don't understood .

Im newbie in VPNs.

In the pratice what i have to do to my network become visible to my vpn client.

Wich is the NAT rule that i have to create.

Tks.

AB

Antonio Brandao Mon, 02/04/2008 - 09:16

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

!

hostname mtech_lab_rt1

!

boot-start-marker

boot-end-marker

!

enable password [email protected]

!

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

!

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local

aaa session-id common

ip subnet-zero

!

!

ip domain name mydomain.com

!

ip cef

ip audit po max-events 100

!

!

!

!

!

!

!

!

!

!

!

!

username antonio password 0 tonhao01

username dticsco password 0 dt!czc0

username ricardo password 0 ric123

username belarmino password 0 bneves0511

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group MTECHVPN

key [email protected]!zz030459

dns 192.168.0.4

wins 192.168.0.4

domain mydomain.com

pool ippool

acl 101

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map clientmap client authentication list USERAUTHEN

crypto map clientmap isakmp authorization list GROUPAUTHOR

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.10 10.1.1.20

ip nat inside source list 111 interface FastEthernet0/1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

!

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit ip any any

!

!

!

!

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

location work

exec-timeout 30 30

password 7 02050D480809

line aux 0

password 7 0822455D0A16

line vty 0 4

login authentication USERAUTHEN

transport input ssh

!

!

end

Actions

This Discussion