Cisco 1811 with 2 internet links + VPN

Unanswered Question
Jul 25th, 2009

Dear All,

I am trying to configure my cisco 1811 router, it has 2 ethernet wan ports + 8 L2 ports,

Both internet are working but VPN is not connecting, please look into my config,

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname MTL-1811

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxxI/

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

resource policy

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

ip name-server 203.99.163.240

!

username Junaid privilege 15 secret 5 $1xxxxxxxx

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 55.55.55.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

acl id_vpn

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

! Incomplete

set peer 55.55.55.210

set transform-set myset

match address lana_to_lanb

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

ip address 192.168.95.65 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 55.66.77.88 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface Vlan1

ip address 192.168.74.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map send_vpn

!

interface Async1

no ip address

encapsulation slip

!

ip local pool ippool 192.168.55.100 192.168.55.200

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 0.0.0.0 0.0.0.0 58.27.232.17 10

ip route 192.168.1.0 255.255.255.0 192.168.74.2

no ip http server

no ip http secure-server

ip nat inside source list 110 interface FastEthernet0 overload

ip nat inside source route-map send_vpn interface FastEthernet1 overload

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23

!

ip access-list extended lana_to_lanb

!

access-list 110 deny ip 192.168.1.0 0.0.0.255 any

access-list 110 deny ip 192.168.55.0 0.0.0.255 any

access-list 110 permit ip any any

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any eq isakmp any

access-list 111 permit udp any eq non500-isakmp any

access-list 111 permit esp any any

!

route-map send_vpn permit 10

match ip address id_vpn

set ip next-hop 58.27.232.17

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 07/25/2009 - 06:39

what is not working ?

why you use policy-map?

also i cant see nat exmption for traffic going to 192.168.100 - 200 you pool range ?

one more thing if you are using rmote access vpn why you spicified a peer address ?

junshah22 Sat, 07/25/2009 - 07:10

Remote Client VPN not working

I will use two vpns .. one for remote client and the other one for my other site,,,site-to-site

I used policy map for restricting vpn traffic to only one connection,,

other network users will connect via second link

junshah22 Sun, 07/26/2009 - 05:56

When I shut down the fa0/0 interface pointing to the general internet, my remote client VPN connects successfully and works fine,

As soon as I UP the fa0/0 interface, VPN dont connects,,

Please Advise

Regards,

Junaid

Marwan ALshawi Sun, 07/26/2009 - 14:05

this i shappning becuase the traffic not using the correct interface with crypto map

becuase you have :

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 0.0.0.0 0.0.0.0 58.27.232.17 10

the one with the metric 10 will not be used unless the first one down whcih is the case you tried it

try to add somthing like

ip route 192.168.55.0 255.255.255.0 58.27.232.17

if did not work revers the ip route config :

ip route 0.0.0.0 0.0.0.0 192.168.95.1 10

ip route 0.0.0.0 0.0.0.0 58.27.232.17

but make sure that remote client will connect to the rght interface ( incoming traffic )

good luck

Hope this helps

junshah22 Sun, 07/26/2009 - 21:11

how can i add a static route while it is directly connected,,,

I mean,, my fa0/0 interface ip is 192.168.95.65/24 and dsl modem ip 192.168.95.1

so it is directly connected network,

The same in the case of second internet link,

Did you provided an example of ip route 192.168.55.0 255.255.255.0 58.27.232.17

because, 55.0 is assigned to ippool.

Marwan ALshawi Sun, 07/26/2009 - 21:24

all you need to do is to make sure your incoming vpn traffic and outgoing using the interface that has the crypto map

just use the other otion i gave above

junshah22 Mon, 07/27/2009 - 20:39

Nope,

its not working,, when I opposite the routes, my VPN connects but dont works,, secondly, my internet on fa0 goes DOWN..

Please advise

junshah22 Mon, 07/27/2009 - 20:57

Please check my current configuration...

version 12.4

no service password-encryption

!

hostname MTL-1811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxxxxxxxxxxI/

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

ip cef

!

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 10.16.7.12

ip name-server 203.99.163.240

!

username Junaid privilege 15 secret 5 $1$Xxxxxxxxxxxxxxxxxp0

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 58.27.233.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

acl 111

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

! Incomplete

set peer 58.27.233.210

set transform-set myset

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

ip address 192.168.95.65 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 58.27.232.18 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet2

!

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

ip policy route-map send_vpn

!

interface Async1

no ip address

encapsulation slip

!

ip local pool ippool 192.168.55.100 192.168.55.200

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 58.27.232.16 255.255.255.248 192.168.55.0

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0 192.168.74.2

ip route 192.168.4.0 255.255.255.0 192.168.74.2

ip route 192.168.5.0 255.255.255.0 192.168.74.2

ip route 192.168.6.0 255.255.255.0 192.168.74.2

ip route 192.168.7.0 255.255.255.0 192.168.74.2

ip route 192.168.8.0 255.255.255.0 192.168.74.2

ip route 192.168.9.0 255.255.255.0 192.168.74.2

ip route 192.168.10.0 255.255.255.0 192.168.74.2

ip route 192.168.11.0 255.255.255.0 192.168.74.2

ip route 192.168.12.0 255.255.255.0 192.168.74.2

!

ip http server

no ip http secure-server

ip nat inside source list deny_vpn_go_nat interface FastEthernet0 overload

ip nat inside source route-map send_vpn interface FastEthernet1 overload

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23

!

ip access-list extended Internet

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip any host 203.215.177.36

permit ip host 192.168.10.40 any

permit ip 192.168.12.0 0.0.0.255 any

permit ip host 192.168.5.10 host 67.59.144.177

ip access-list extended deny_vpn_go_nat

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 any

permit ip any any

ip access-list extended id_vpn

permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

!

route-map send_vpn permit 10

match ip address id_vpn

set ip next-hop 58.27.232.17

webvpn context Default_context

ssl authenticate verify all

no inservice

end

junshah22 Tue, 07/28/2009 - 03:06

Please see my network diagram,,, hopefully,, this will help you people for better understanding...

Please look my diagram and configuration in above post and Advise

Regards,

Junaid

Actions

This Discussion