09-25-2008 06:52 AM - edited 02-21-2020 03:57 PM
Hello, I have an 851 router that I am trying to learn with, I have a working config that gets me online and has a basic firewall and dhcp for clients. I then wanted to add a VPN using the 851 and the Cisco VPN client.
Using this tutorial "http://www.cisco.com/en/US/customer/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml"
I was able to get partially to my goal as I can establish a vpn and it is showing me 192.168.1.0 as the secured route but I cannot ping or communicate with anything with in the 192.168.1.1 network.
Solved! Go to Solution.
09-26-2008 05:11 AM
Try this one also.
Instead of using access-list in NAT statement , use Route-map and see if it resolves the issue.
1.Deny the Ipsec traffic in the NAT access-list.
access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit 192.168.1.0 0.0.0 any
2 create a Route Map
route-map nonat permit 10
match ip address 120
3. no ip nat inside source list 1 interface FastEthernet4 overload
4. ip nat inside source route-map nonat interface FastEthernet4 overload
5. Clear ip nat translations *
Then check.
HTH
Saju
09-25-2008 06:52 AM
here is my config so far...
hostname MSM-Guest
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret xxx
enable password xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool MSM-Guest-DHCP
import all
network 192.168.1.0 255.255.255.0
dns-server 216.220.230.24 216.220.230.25
default-router 192.168.1.1
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name MSM-Guest
ip name-server 216.220.230.24
ip name-server 216.220.230.25
!
!
crypto pki trustpoint TP-self-signed-2169386341
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2169386341
revocation-check none
rsakeypair TP-self-signed-2169386341
!
!
crypto pki certificate chain TP-self-signed-2169386341
certificate self-signed xxx
quit
username **** privilege 15
password 7 ****
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key ****
dns 192.168.1.1
wins 192.168.1.1
domain msm-guest
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 216.220.228.125 255.255.255.224
ip access-group Internet-inbound-ACL in
ip access-group Internet-outbound-ACL out
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 216.220.228.97
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit udp any host 216.220.228.125 eq non500-isakmp
permit udp any host 216.220.228.125 eq isakmp
permit esp any host 216.220.228.125
permit ahp any host 216.220.228.125
permit udp host 216.220.230.25 eq domain any
permit udp host 216.220.230.24 eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
ip access-list extended Internet-outbound-ACL
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
line con 0
password 7 ****
no modem enable
line aux 0
line vty 0 4
password 7 ****
!
scheduler max-task-time 5000
end
09-25-2008 09:21 AM
This is happening because the IPSEC traffic is not bypassing NAT . Do the following changes and then check and post results.
1.Deny the Ipsec traffic in the NAT access-list.
access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit 192.168.1.0 0.0.0 any
2. no ip nat inside source list 1 interface FastEthernet4 overload
3.ip nat inside source list 120 interface FastEthernet4 overload
HTH
Saju
Pls rate helpful posts
09-25-2008 01:26 PM
This appeared to get me closer, I can now ping 192.168.1.1 but not 192.168.1.51 which is a valid host.
when I tracert 192.168.1.51 my first hop is 10.0.0.1 then dies after that.
my secured route is 192.168.1.0 which I was thinking it would be 192.168.2.0 because that is the subnet that dhcp gave me.
09-25-2008 03:08 PM
You need to route VPN pool address in your network .Whats the default gateway on 192.168.1.51 ?
09-26-2008 04:27 AM
the default gateway is 192.168.1.1 which is the ip address assigned to the vlan interface
09-26-2008 05:11 AM
Try this one also.
Instead of using access-list in NAT statement , use Route-map and see if it resolves the issue.
1.Deny the Ipsec traffic in the NAT access-list.
access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit 192.168.1.0 0.0.0 any
2 create a Route Map
route-map nonat permit 10
match ip address 120
3. no ip nat inside source list 1 interface FastEthernet4 overload
4. ip nat inside source route-map nonat interface FastEthernet4 overload
5. Clear ip nat translations *
Then check.
HTH
Saju
09-26-2008 09:55 AM
Yes!! it is finally working, although I may of been chasing my own tail for a while there, the host I was trying to ping had the windows firewall turned on causing it to not respond to ping.
Thanks for the help, I will backup this config to a safe spot and expand upon it when I get some additional hardware. I also want to add a site to site vpn in to the mix with a second 851 router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: