vpn connection with external modem

Unanswered Question
Aug 8th, 2008
User Badges:

Cisco 2651XM router


using a wic-adsl card I have been able to set up a successful vpn connection from a cisco vpn client machine to my 2651xm router but I can't get a connection if I use an external modem.

My lan at the vpn server end is on 172.16.1.xx and goes into the router on f0/0 which is set at 172.16.1.30.

Port f0/1 is on 192.168.1.100 and goes to an external modem set as default gateway

192.169.1.254. With this setup I can surf the internet on the lan machines at the server end.

Problem is I can't get a connection from a remote machine to vpn connect. It worked when I used the wic adsl connection but then I was only using

the f0/0 port which was connected to my lan. But now I'm including the f0/1 port to connect to an external modem the vpn client can't connect. The cisco vpn client tries to connect using tcp on port 10000 and I've set this up in the modem but not sure if I've done it correctly. I've tried forwarding the port to both 192.168.1.100 (f0/1) and 172.16.1.30 (f0/0) but neither will work. Attached is my running config. Thanks for any pointers.


----------------------


router#show running-config

Building configuration...


Current configuration : 2757 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname vpn

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

ip name-server 192.168.1.254

ip name-server 192.168.1.255

ip ddns update method sdm_ddns1

DDNS both

!

!

!

!

!

username xxxxxxxxxxx secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group workgroup

key xxxxxxxxxx

pool SDM_POOL_2

crypto isakmp profile sdm-ike-profile-1

match identity group workgroup

client authentication list sdm_vpn_xauth_ml_2

isakmp authorization list sdm_vpn_group_ml_2

client configuration address respond

virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

interface ATM0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0/0

ip address 172.16.1.30 255.255.0.0

ip nat inside

ip virtual-reassembly

speed auto

half-duplex

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname vpn.vpn

ip ddns update sdm_ddns1

ip address dhcp client-id FastEthernet0/1

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

no auto-summary

!

ip local pool SDM_POOL_1 192.168.1.110 192.168.1.120

ip local pool SDM_POOL_2 172.16.1.21 172.16.1.29

!

!

ip http server

no ip http secure-server

ip nat inside source list 3 interface FastEthernet0/1 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 172.16.0.0 0.0.255.255

!

!

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

!

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Fri, 08/08/2008 - 09:57
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

so now the public ip address shoud be on the modem

now the tunnel connection is comeing to the modem but because there is no maping (nating) to ur router that contain the IPsec VTI (virtual tuneel interface) the vpn wont work

u need static NAT/PAT to esp and ISAKMP to the router fa0/1 to get it work

also make sure nothing blocking thiese ports

i mean esp and isakmp


good luck


if helpful rate

tonyspcrepairs Fri, 08/08/2008 - 11:10
User Badges:

thanks for your response. I went into the modem and created a static route from the modem to the ip address of f0/1 but the connection still doesn't work. I don't know where the connection is failing, it's either at the modem or at the router. From the vpn client pc I can ping the public ip address of the server location and it replies fine. Is there any diagnostic I can run to find out where the connection is failing?

Marwan ALshawi Fri, 08/08/2008 - 18:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

now u can make vpn connection and u cannot communicate with local lan?

or u cant make the vpn connection at all?


also check if there is any filtering on the modem!

tonyspcrepairs Sat, 08/09/2008 - 02:24
User Badges:

I cannot make a vpn connection at all, I always get 'no response'. I'm almost certain the problem is the modem, it is not forwarding the connection to the router. I tried altering settings in the modem but still can't get a connection and I've also tried forwarding the TCP port to the router but no joy. I've written to the modem makers and I'm waiting for their reply, hopefully they will tell me what settings to alter in the modem.

Marwan ALshawi Sat, 08/09/2008 - 02:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

thats right

and good luck

if helpful rate


Actions

This Discussion