01-29-2008 03:50 PM - edited 02-21-2020 01:52 AM
Hi All,
I configured a sample VPN in a 2611 Router to connect via Cisco VPN Client Sfw from a Remote PC on internet.
When the tunnel is estabilished, all networks stop to work in my PC.
I can't access the LAN inside.
Could anybody help me to solve this problem ?
Follow my config :
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
!
hostname mtech_lab_rt1
!
boot-start-marker
boot-end-marker
!
enable password xxx
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login LOCALUSERS local
aaa session-id common
ip subnet-zero
!
!
ip domain name xxx.com
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username dticsco password 0 xxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group HOME
key xxx
dns 192.168.0.4
domain xxx.com
pool CLIENT_ADDRESSES
!
!
crypto ipsec transform-set MTECHVPN_SET esp-3des esp-sha-hmac
!
crypto dynamic-map CLIENT_MAP 1
set transform-set MTECHVPN_SET
reverse-route
!
!
crypto map MTECHVPN_VPN client authentication list LOCALUSERS
crypto map MTECHVPN_VPN isakmp authorization list LOCALUSERS
crypto map MTECHVPN_VPN client configuration address respond
crypto map MTECHVPN_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.130 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 41.x.x.15 255.255.254.0
ip nat outside
duplex auto
speed auto
crypto map MTECHVPN_VPN
!
ip local pool CLIENT_ADDRESSES 192.168.2.1 192.168.2.10
ip nat inside source list NATLIST interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.6 25 41.x.x.15 25 extendable
ip nat inside source static tcp 192.168.0.6 110 41.X.X.15 110 extendable
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 41.x.x.1
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
!
!
!
ip access-list standard NATLIST
permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
location work
exec-timeout 30 30
password cisco
line aux 0
password cisco
line vty 0 4
login authentication LOCALUSERS
transport input ssh
!
!
end
Thanks
AB
01-29-2008 07:40 PM
You have to bypass NAT for traffic from your LAN to the VPN Client Pool of IP Addresses. Please follow the below URL for configuration details.
http://www.cisco.com/warp/customer/707/static.html
Regards,
Arul
** Please rate all helpful posts **
01-30-2008 12:03 AM
Hi Arul,
I did not understand how i will apply this this information in my scenary.
Do you have sure that is same scenary ?
Please notice that in my topology, i have a router that receives a VPN from remote teleworks, in diferents subnets, and is not a scenary point to point how explain the example that you sent.
AB
01-31-2008 06:27 AM
What Arul said is not bad. Even if it's not the main cause of your problem, your DNS will not be reachable from the tunnel.
Every answer to your client from your DNS will be NATed. Your client will not accept it.
01-31-2008 06:42 AM
Hi Dominic,
Sorry, but i don't understood .
Im newbie in VPNs.
In the pratice what i have to do to my network become visible to my vpn client.
Wich is the NAT rule that i have to create.
Tks.
AB
02-04-2008 09:16 AM
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
!
hostname mtech_lab_rt1
!
boot-start-marker
boot-end-marker
!
enable password MtechP@zz11E
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login USERAUTHEN local
aaa authorization network GROUPAUTHOR local
aaa session-id common
ip subnet-zero
!
!
ip domain name mydomain.com
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username antonio password 0 tonhao01
username dticsco password 0 dt!czc0
username ricardo password 0 ric123
username belarmino password 0 bneves0511
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group MTECHVPN
key Mdt@Vpn!zz030459
dns 192.168.0.4
wins 192.168.0.4
domain mydomain.com
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list USERAUTHEN
crypto map clientmap isakmp authorization list GROUPAUTHOR
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.130 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 41.x.x.15 255.255.254.0
ip nat outside
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 10.1.1.10 10.1.1.20
ip nat inside source list 111 interface FastEthernet0/1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 41.x.x.1
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip any any
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
location work
exec-timeout 30 30
password 7 02050D480809
line aux 0
password 7 0822455D0A16
line vty 0 4
login authentication USERAUTHEN
transport input ssh
!
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: