07-21-2008 03:19 AM
I have configured remote site vpn with domain authentication. VPN client users are able to login to the VPN and they are authenticating with Domain controller. But they are unable to access the LAN(remote). Please find the configuration below.
access-list inside_nat0_outbound extended permit ip any 10.100.100.0 255.255.255.0
ip local pool vpnpool 10.100.100.1-10.100.100.254 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
route inside 172.0.0.0 255.0.0.0 172.x.x.x
route outside 0.0.0.0 0.0.0.0 x.x.x.x
aaa-server India protocol nt
aaa-server India (inside) host 172.x.x.x
nt-auth-domain-controller domaincontroller
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map dynamic 30 set reverse-route
crypto dynamic-map dynamic 30 set pfs
crypto dynamic-map dynamic 30 set transform-set ESP-AES-128-SHA
crypto map vpn 10 ipsec-isakmp dynamic dynamic
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
group-policy gpolicy internal
group-policy gpolicy attributes
dns-server value 172.x.x.x
vpn-tunnel-protocol IPSec
default-domain value domaincontroller
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group India
default-group-policy gpolicy
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
Earlier same with same configuration it was working, but i have upgraded the IOS from 7.2 to 8.0.
after that it is not working.
Earlier using 7.2 IOS also i got the same problem, but when i used the command crypto isakmp nat-traversal 20 it worked.
Now after issuing this command doen's help me.
Can anybody please help me in this matter.
Thanks in Advance
07-21-2008 04:42 AM
What do you mean "they are unable to access the LAN(remote)"?
What is LAN(remote)?
07-21-2008 05:00 AM
able to login to VPN network. but not able to access the LAN of remote network.
07-21-2008 06:00 AM
show the output "sh crypto isce sa" when a vpn client is connected.
07-21-2008 06:31 AM
Please find the output.
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.100.1/255.255.255.255/0/0)
current_peer: x.x.x.x, username: 210565
dynamic allocated peer ip: 10.100.100.1
#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/60577
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: B57D7473
inbound esp sas:
spi: 0x5742F7E0 (1464006624)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28775
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB57D7473 (3044897907)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28771
IV size: 16 bytes
replay detection support: Y
07-21-2008 06:37 AM
you have encrypted and decrypted packets.
and you negotiated NAT-T
so your vpn is working.
if you want continue - give more details.
07-21-2008 06:44 AM
Here it looks everything fine, but the thing is.
My LAN network is 172.0.0.0 series and client will get 10.10.10.0 series. Client is getting the IP address but unable to access the 172.0.0.0 series.
If required more inputs then i will provide.
07-21-2008 10:48 AM
show the configuration :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide