11-18-2008 05:58 AM - edited 02-21-2020 03:06 AM
Hey there,
I need to configure my router to let a couple PC's get into my LAN remotely so we can do remote main. I have Cisco VPN client software and a SEC image on my router.
I tried SDM to make VPN work but it screwed up my NAT entries and all my users lost internet access!! :(
Please have a look at my config. If you can give me any hints on what my it should look like to allow a few clients past my nat?
This config works with voice and remote access.
I'll be using it as a marker before I implement
VPN.
sh run
Building configuration...
Current configuration : 2895 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BD2801
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.124-17.bin
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
!
!
voice-card 0
!
!
voice call carrier capacity active
voice rtp send-recv
voice dsp release early
!
voice service voip
fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco
!
!
!
fax interface-type fax-mail
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Starboard Stratos VSAT$FW_OUTSIDE$
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
router eigrp 1
network 192.168.49.0
auto-summary
!
ip local pool vpn_pool_1 192.168.50.150 192.168.50.151
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
voice-port 0/2/0
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
voice-port 0/2/1
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
ccm-manager mgcp
!
mgcp
mgcp call-agent 10.129.48.11 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode nse
mgcp codec g729r8 packetization-period 60
mgcp playout adaptive 100 50 200
mgcp playout fax 500
no mgcp timer receive-rtcp
mgcp timer net-cont-test 1000
mgcp timer nse-response t38 1000
mgcp sdp simple
no mgcp fax t38 ecm
mgcp fax t38 nsf 000000
!
mgcp profile default
!
!
dial-peer cor custom
!
!
!
dial-peer voice 1 pots
service mgcpapp
port 0/2/0
!
dial-peer voice 2 pots
service mgcpapp
port 0/2/1
!
gateway
timer receive-rtp 1200
!
!
!
call-manager-fallback
max-conferences 4 gain -6
ip source-address 10.20.46.20 port 2000
max-ephones 24
max-dn 24
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
11-19-2008 03:00 AM
You have forgotten to include the VPN config?
follow the below config example:-
If this is not specific or does not fit - the below link has all config examples for your platform:-
http://www.cisco.com/en/US/products/ps5854/prod_configuration_examples_list.html
HTH>
11-19-2008 05:10 AM
Thanks for the reply! Ok so now I have a working VPN scenario.
My VPN Client can now get to some areas of my inside network.
I need to make sure NAT lets me get to all of my internal lan that is behind the router.
Can anyone help me adjust my NAT?
inet--> 10.20.46.20(router)192.168.49.1-->168.192.49.2(L3 3560 switch)192.168.50.0
192.168.51.0
192.168.52.0
etc.
Here's the router config.
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.20.46.1 10.20.46.30
!
ip dhcp pool S_LAN
network 10.20.46.0 255.255.255.0
default-router 10.20.46.1
dns-server
!
!
ip domain name ocean-group.net
ip name-server
ip name-server
!
!
voice-card 0
!
!
voice call carrier capacity active
voice rtp send-recv
voice dsp release early
!
voice service voip
fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco
!
!
crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
crypto pki certificate chain TP-self-signed-3884018817
certificate self-signed 0D
quit
fax interface-type fax-mail
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group madsummer
key v@ncouver
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group madsummer
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
interface Loopback0
ip address 194.217.5.38 255.255.255.255
!
interface FastEthernet0/1
description Starboard Stratos VSAT$FW_OUTSIDE$
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 1
network 192.168.0.0
network 192.168.49.0
auto-summary
!
ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
access-list 1 permit 192.168.0.0 0.0.255.255
11-19-2008 05:23 AM
why have you configured the VPN pool out of 10.x.x.x IP addresses?
I would use a 192.168.x.x address pool, then configure my nat something like
access-list 101 deny ip 192.168.x.x 0.0.255.255 192.168.x.x 0.0.0.255
access-list 101 permit 192.168.0.0 0.0.255.255
ip nat inside source list 101 pool MADNATPOOL overload
HTH?
11-19-2008 05:56 AM
Well actually my Public IP is something different than my outside router interface. My ISP dropped the VPN down on the 10.20.46.20. The good thing is that now I can get in. But I can't get full roam of all my vlans... although I can get all over one of them 192.168.50.0
I would like to terminate the vpn on an inside address but I'm afraid!
Will those entries you gave me affect any of my users leaving from my network?
11-19-2008 06:03 AM
Is it possible to create the vpn pool on a subnet that isn't on the router? If I could get my vpn sent in past the router outside int 10.20.46.20 past the inside int of 192.168.49.1 and to plop it down inside my L3 switch on the 192.168.50.0 network.
How can I help you help me? :)
I'm going grey over here.
11-19-2008 06:08 AM
You can give the VPN pool and IP address of 192.168.254.0/24 - as long as the router, and the internal layer 3 routing device know that 192.168.254.0/24 is on the 2801 - no issues.
It's then a simple matter of routing!
11-19-2008 06:28 AM
I'm not sure how to get that address on the router only because I don't have any more interfaces I can use. I think I misunderstood.
Do I need to use a seperate subnet for the vpn clients or can I have them join an existing vlan the switch is routing?
I can post the switch config if you felt like looking at them.
11-19-2008 06:36 AM
I have the private network 192.168.49.0 and the only hosts on it are the router's internal int and the switch's (I'll call it) outside interface.
Could I plop the VPN users down into there with say a pool of 192.168.49.5 to 192.168.49.10?
11-19-2008 06:40 AM
whoa - hold on mate.
You do not need to have a physical interface for VPN users. If you terminate the VPN on the outside interface (which is the norm) then you assign the VPN users an IP address from say 192.168.254.0/24 - the router KNOWS that this is a local pool.
The traffic from the VPN clients will enter the network with a 192.168.254.x address, from the routers inside interface. For this to work all you have to do, is make SURE the rest of your internal network knows that 192.168.254.0/24 lives on the router, just like a static route.
11-19-2008 06:49 AM
OK! :) sorry about that.
So here's what I'm going to do.
Change
ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220
to
ip local pool SDM_POOL_1 192.168.254.200 192.168.254.220
and that's it?
Whew! that sounds easy as pie!
Would the routing already be covered by
router eigrp 1
network 192.168.0.0?
Or do I need to put a static route of maybe
ip route 192.168.0.0 255.255.0.0 10.20.46.20
I'm kinda shooting in the dark right now. Sorry about my ignorance.
11-19-2008 08:01 AM
Hey hey!
It worked. It's funny how less scary things are once you've seen them work once.
I'm able to now get to all the hosts I need to manage remotely.
Now I'm onto the next tasks. QoS :(
I'll be trying to give the client full bandwidth when it connects to do the maint.
See you in the other forums.
You rock, Andrew!
Thanks a lot. I mean it.
11-20-2008 11:39 AM
Crap!!!!
I thought everything worked until we found the voice stopped working.
Everytime I entered:
interface Loopback0
ip address 214.27.53.58 255.255.255.255
I could only talk in one direction! :(
Is there any way around using this??? With only a couple more days. I'm really up against the wall now.
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.20.46.1 10.20.46.30
!
ip dhcp pool Stratos_LAN
network 10.20.46.0 255.255.255.0
default-router 10.20.46.1
dns-server 158.152.1.58 158.152.1.43
!
!
!
!
voice-card 0
!
!
voice call carrier capacity active
voice rtp send-recv
voice dsp release early
!
voice service voip
fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco
!
!
crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
!
crypto pki certificate chain TP-self-signed-3884018817
certificate self-signed 0D
3082023E 308201A7 A0030201 0202010D 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D
quit
fax interface-type fax-mail
username privilege 15
username privilege 15
archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group madsummer
key
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group mad
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Loopback0
ip address 214.27.53.58 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Starboard Stratos VSAT$FW_OUTSIDE$
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router eigrp 1
network 192.168.0.0
network 192.168.49.0
auto-summary
!
ip local pool SDM_POOL_1 192.168.254.160 192.168.254.170
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
11-20-2008 11:47 AM
Errrm why are you configuring a loopback on an internal virtual interface with an external IP address - that relates to voice?
The way around it is - do not configure the loopback interface?
11-20-2008 11:57 AM
Oh man is it nice to see your reply.
I was just going to remove the loopback until I saw:
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
I don't really know how it ties together but it sounds important.
They originally landed my VPN on an outside interface. Then I moved it to that 192.168.254.o network like you suggested. It worked so I thought I was in the clear.
Can I remove all the related loopback stuff?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: