My VPN doesn't work.!!!

Antonio Brandao · ‎01-29-2008

Hi All,

I configured a sample VPN in a 2611 Router to connect via Cisco VPN Client Sfw from a Remote PC on internet.

When the tunnel is estabilished, all networks stop to work in my PC.

I can't access the LAN inside.

Could anybody help me to solve this problem ?

Follow my config :

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

!

hostname mtech_lab_rt1

!

boot-start-marker

boot-end-marker

!

enable password xxx

!

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

aaa authentication login LOCALUSERS local

aaa session-id common

ip subnet-zero

!

ip domain name xxx.com

!

ip cef

ip audit po max-events 100

!

username dticsco password 0 xxx

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group HOME

key xxx

dns 192.168.0.4

domain xxx.com

pool CLIENT_ADDRESSES

!

crypto ipsec transform-set MTECHVPN_SET esp-3des esp-sha-hmac

!

crypto dynamic-map CLIENT_MAP 1

set transform-set MTECHVPN_SET

reverse-route

!

crypto map MTECHVPN_VPN client authentication list LOCALUSERS

crypto map MTECHVPN_VPN isakmp authorization list LOCALUSERS

crypto map MTECHVPN_VPN client configuration address respond

crypto map MTECHVPN_VPN 100 ipsec-isakmp dynamic CLIENT_MAP

!

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map MTECHVPN_VPN

!

ip local pool CLIENT_ADDRESSES 192.168.2.1 192.168.2.10

ip nat inside source list NATLIST interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.6 25 41.x.x.15 25 extendable

ip nat inside source static tcp 192.168.0.6 110 41.X.X.15 110 extendable

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

ip route 192.168.0.0 255.255.255.0 FastEthernet0/0

!

ip access-list standard NATLIST

permit 192.168.0.0 0.0.0.255

!

dial-peer cor custom

!

line con 0

location work

exec-timeout 30 30

password cisco

line aux 0

password cisco

line vty 0 4

login authentication LOCALUSERS

transport input ssh

!

end

Thanks

AB

ajagadee · ‎01-29-2008

You have to bypass NAT for traffic from your LAN to the VPN Client Pool of IP Addresses. Please follow the below URL for configuration details.

http://www.cisco.com/warp/customer/707/static.html

Regards,

Arul

** Please rate all helpful posts **

Antonio Brandao · ‎01-30-2008

Hi Arul,

I did not understand how i will apply this this information in my scenary.

Do you have sure that is same scenary ?

Please notice that in my topology, i have a router that receives a VPN from remote teleworks, in diferents subnets, and is not a scenary point to point how explain the example that you sent.

AB

dominic.caron · ‎01-31-2008

What Arul said is not bad. Even if it's not the main cause of your problem, your DNS will not be reachable from the tunnel.

Every answer to your client from your DNS will be NATed. Your client will not accept it.

Antonio Brandao · ‎01-31-2008

Hi Dominic,

Sorry, but i don't understood .

Im newbie in VPNs.

In the pratice what i have to do to my network become visible to my vpn client.

Wich is the NAT rule that i have to create.

Tks.

AB

Antonio Brandao · ‎02-04-2008

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service linenumber

!

hostname mtech_lab_rt1

!

boot-start-marker

boot-end-marker

!

enable password MtechP@zz11E

!

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local

aaa session-id common

ip subnet-zero

!

ip domain name mydomain.com

!

ip cef

ip audit po max-events 100

!

username antonio password 0 tonhao01

username dticsco password 0 dt!czc0

username ricardo password 0 ric123

username belarmino password 0 bneves0511

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group MTECHVPN

key Mdt@Vpn!zz030459

dns 192.168.0.4

wins 192.168.0.4

domain mydomain.com

pool ippool

acl 101

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list USERAUTHEN

crypto map clientmap isakmp authorization list GROUPAUTHOR

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address 192.168.0.130 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 41.x.x.15 255.255.254.0

ip nat outside

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.10 10.1.1.20

ip nat inside source list 111 interface FastEthernet0/1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.1

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit ip any any

!

dial-peer cor custom

!

line con 0

location work

exec-timeout 30 30

password 7 02050D480809

line aux 0

password 7 0822455D0A16

line vty 0 4

login authentication USERAUTHEN

transport input ssh

!

end