06-24-2008 02:17 AM
I am trying to setup vpn client software ver 5.0 for remote users to connect to the lan behind an 1801.
I can get the client saying its connected but traffic doesn't flow apart from:
when i try to ping a 192.168.2.x address behind the 1801 i get a response from the public ip but then when i try to ping another address i get no response.
I am assuming that the issue is NAT related.
Below is my config, your help is apprecited
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C######
!
boot-start-marker
boot-end-marker
!
enable password 7 #######
!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
ip cef
!
ip domain name ######.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
username admin privilege 15 password 7 ########
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 1801Client
key ##############
dns 192.168.2.251
wins 192.168.2.251
domain #######.local
pool VpnPool
acl 121
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0
ip address 87.#.#.# 255.255.255.252
ip access-group 113 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
interface FastEthernet8
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 192.168.2.245 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VpnPool 192.168.3.200 192.168.3.210
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.#.#.#
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.2.251 25 87.#.#.# 25 extendable
Several similar to above line with diferent ports
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 113 permit tcp host 82.#.#.# host 87.#.#.# eq 22
access-list 113 permit tcp 84.#.#.# 0.0.0.3 host 87.#.#.# eq 22
access-list 113 permit tcp host 79.#.#.# host 87.#.#.# eq 22
access-list 113 deny tcp any any eq 22
access-list 113 permit tcp host 82.#.#.# host 87.#.#.# eq telnet
access-list 113 permit tcp 84.#.#.# 0.0.0.3 host 87.#.#.# eq telnet
access-list 113 permit tcp host 79.#.#.# host 87.#.#.# eq telnet
access-list 113 deny tcp any any eq telnet
access-list 113 permit ip any any
access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 121 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
end
Solved! Go to Solution.
06-24-2008 04:15 AM
you need to exmpt the client pool IP address from the NAT
by either denying them in access list 1
or make route map that point to loopback address as a next hop for any packet destent to your pool to avoid the nat
first try to put this entry in your access-lst 110
access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit 192.168.2.0 0.0.0.255 any
route-map nonat pemit 10
match ip address 110
remove ur old nat and put the following one
ip nat inside source route-map nonat interface fastethernet0 overload
rate if helpful
and let me know, good luck
06-24-2008 07:31 AM
You have more than just a NAT issue.
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
Note: Reverse-route injection needed to provision a return path.
access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Note: The second ACE in the split-tunneling ACL is unnecessary.
06-24-2008 04:15 AM
you need to exmpt the client pool IP address from the NAT
by either denying them in access list 1
or make route map that point to loopback address as a next hop for any packet destent to your pool to avoid the nat
first try to put this entry in your access-lst 110
access-list 110 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit 192.168.2.0 0.0.0.255 any
route-map nonat pemit 10
match ip address 110
remove ur old nat and put the following one
ip nat inside source route-map nonat interface fastethernet0 overload
rate if helpful
and let me know, good luck
06-24-2008 09:08 AM
Thank you very much for your help, really appreciated the fast responses.
Cheers Gents.
06-24-2008 07:31 AM
You have more than just a NAT issue.
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
Note: Reverse-route injection needed to provision a return path.
access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Note: The second ACE in the split-tunneling ACL is unnecessary.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide