05-08-2008 07:44 AM - edited 03-03-2019 09:52 PM
Hello,
I was taking too long to find a document to configure vpn server on my 1751, so I ended up using the sdm software. I have everything pretty basic, and 1 NAT port forwarding for vnc port 410xx sent to inside ip 1.1.1.xx
When I setup the vpn with the sdm software, at the end of config, it told me there was a NAT rule that needed to be updated to work with the vpn. I had no clue what that was all about, so I let it do its update on the rule. Well, it changed my:
ip nat inside source static tcp 1.1.1.xx 410xx interface Dialer1 410xx
to
route-map sdm_rmap_1 permit 41069
Which DID NOT WORK!
It changed the rule, and the port forwarding stopped. I deleted it and added my static nat rule back in and viola. My question on this is that normally the vnc port gets forwarded from dialer1 to my pc when I access from remote. When I'm connected via VPN client, however, the only way I can access vnc is back out through the internet. It won't let me access vnc through VPN by just vnc to local 1.1.1.x address with 410xx port number.
How can I set this up to allow both? I would like the remote control session encrypted over the internet (using vpn) anytime that I am connected to my network via vpn.
05-08-2008 07:46 AM
My config is as follows:
SANDBOX_1751#show run
Building configuration...
Current configuration : 3666 bytes
!
! Last configuration change at 09:59:52 CST Thu May 8 2008
! NVRAM config last updated at 08:24:32 CST Thu May 8 2008 by root
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SANDBOX_1751
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-13.bin
boot-end-marker
!
!
memory-size iomem 20
clock timezone CST -6
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthenticate local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name XXX.com
ip name-server 64.91.3.46
ip name-server 64.91.3.60
!
ip cef
ip audit po max-events 100
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
username XXXX privilege 15 secret xxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group group1
key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dns 1.1.1.3 1.1.1.1
wins 1.1.1.200
domain XXX.com
pool SDM_POOL_1
acl 100
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0/0
description iburst
no ip address
ip nat outside
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/0
description Lan
ip address 1.1.1.3 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap password 7 03145A1815
ppp pap sent-username XXXXXXX password xxx
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 1.1.1.150 1.1.1.159
ip nat inside source static tcp 1.1.1.XX 410XX interface Dialer1 410XX
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http port XXXXXX
ip http secure-server
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 1.1.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.150
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.151
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.152
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.153
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.154
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.155
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.156
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.157
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.158
access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.159
access-list 101 permit ip 1.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: