07-25-2009 05:02 AM - edited 03-04-2019 05:32 AM
Dear All,
I am trying to configure my cisco 1811 router, it has 2 ethernet wan ports + 8 L2 ports,
Both internet are working but VPN is not connecting, please look into my config,
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname MTL-1811
boot-start-marker
boot-end-marker
!
enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxxI/
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
resource policy
ip cef
!
ip domain name millat.com.pk
ip name-server 10.16.6.11
ip name-server 10.16.7.12
ip name-server 203.99.163.240
!
username Junaid privilege 15 secret 5 $1xxxxxxxx
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 55.55.55.210 no-xauth
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 192.168.1.17
wins 192.168.1.17
domain millat.com.pk
pool ippool
acl id_vpn
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
! Incomplete
set peer 55.55.55.210
set transform-set myset
match address lana_to_lanb
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
ip address 192.168.95.65 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 55.66.77.88 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 192.168.74.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map send_vpn
!
interface Async1
no ip address
encapsulation slip
!
ip local pool ippool 192.168.55.100 192.168.55.200
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 0.0.0.0 0.0.0.0 58.27.232.17 10
ip route 192.168.1.0 255.255.255.0 192.168.74.2
no ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0 overload
ip nat inside source route-map send_vpn interface FastEthernet1 overload
ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23
!
ip access-list extended lana_to_lanb
!
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.55.0 0.0.0.255 any
access-list 110 permit ip any any
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any eq isakmp any
access-list 111 permit udp any eq non500-isakmp any
access-list 111 permit esp any any
!
route-map send_vpn permit 10
match ip address id_vpn
set ip next-hop 58.27.232.17
07-25-2009 06:39 AM
what is not working ?
why you use policy-map?
also i cant see nat exmption for traffic going to 192.168.100 - 200 you pool range ?
one more thing if you are using rmote access vpn why you spicified a peer address ?
07-25-2009 07:10 AM
Remote Client VPN not working
I will use two vpns .. one for remote client and the other one for my other site,,,site-to-site
I used policy map for restricting vpn traffic to only one connection,,
other network users will connect via second link
07-26-2009 05:56 AM
When I shut down the fa0/0 interface pointing to the general internet, my remote client VPN connects successfully and works fine,
As soon as I UP the fa0/0 interface, VPN dont connects,,
Please Advise
Regards,
Junaid
07-26-2009 02:05 PM
this i shappning becuase the traffic not using the correct interface with crypto map
becuase you have :
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 0.0.0.0 0.0.0.0 58.27.232.17 10
the one with the metric 10 will not be used unless the first one down whcih is the case you tried it
try to add somthing like
ip route 192.168.55.0 255.255.255.0 58.27.232.17
if did not work revers the ip route config :
ip route 0.0.0.0 0.0.0.0 192.168.95.1 10
ip route 0.0.0.0 0.0.0.0 58.27.232.17
but make sure that remote client will connect to the rght interface ( incoming traffic )
good luck
Hope this helps
07-26-2009 09:11 PM
how can i add a static route while it is directly connected,,,
I mean,, my fa0/0 interface ip is 192.168.95.65/24 and dsl modem ip 192.168.95.1
so it is directly connected network,
The same in the case of second internet link,
Did you provided an example of ip route 192.168.55.0 255.255.255.0 58.27.232.17
because, 55.0 is assigned to ippool.
07-26-2009 09:24 PM
all you need to do is to make sure your incoming vpn traffic and outgoing using the interface that has the crypto map
just use the other otion i gave above
07-27-2009 08:39 PM
Nope,
its not working,, when I opposite the routes, my VPN connects but dont works,, secondly, my internet on fa0 goes DOWN..
Please advise
07-27-2009 08:57 PM
Please check my current configuration...
version 12.4
no service password-encryption
!
hostname MTL-1811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1xxxxxxxxxxxxxxxxxxI/
!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
ip cef
!
ip domain name millat.com.pk
ip name-server 10.16.6.11
ip name-server 10.16.7.12
ip name-server 203.99.163.240
!
username Junaid privilege 15 secret 5 $1$Xxxxxxxxxxxxxxxxxp0
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 58.27.233.210 no-xauth
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 192.168.1.17
wins 192.168.1.17
domain millat.com.pk
pool ippool
acl 111
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
! Incomplete
set peer 58.27.233.210
set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
ip address 192.168.95.65 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 58.27.232.18 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet2
!
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.74.1 255.255.255.0
ip access-group Internet in
ip nat inside
ip virtual-reassembly
ip policy route-map send_vpn
!
interface Async1
no ip address
encapsulation slip
!
ip local pool ippool 192.168.55.100 192.168.55.200
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 58.27.232.16 255.255.255.248 192.168.55.0
ip route 192.168.1.0 255.255.255.0 192.168.74.2
ip route 192.168.2.0 255.255.255.0 192.168.74.2
ip route 192.168.3.0 255.255.255.0 192.168.74.2
ip route 192.168.4.0 255.255.255.0 192.168.74.2
ip route 192.168.5.0 255.255.255.0 192.168.74.2
ip route 192.168.6.0 255.255.255.0 192.168.74.2
ip route 192.168.7.0 255.255.255.0 192.168.74.2
ip route 192.168.8.0 255.255.255.0 192.168.74.2
ip route 192.168.9.0 255.255.255.0 192.168.74.2
ip route 192.168.10.0 255.255.255.0 192.168.74.2
ip route 192.168.11.0 255.255.255.0 192.168.74.2
ip route 192.168.12.0 255.255.255.0 192.168.74.2
!
ip http server
no ip http secure-server
ip nat inside source list deny_vpn_go_nat interface FastEthernet0 overload
ip nat inside source route-map send_vpn interface FastEthernet1 overload
ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23
!
ip access-list extended Internet
permit ip 192.168.74.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip any host 203.215.177.36
permit ip host 192.168.10.40 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip host 192.168.5.10 host 67.59.144.177
ip access-list extended deny_vpn_go_nat
deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 any
permit ip any any
ip access-list extended id_vpn
permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
!
route-map send_vpn permit 10
match ip address id_vpn
set ip next-hop 58.27.232.17
webvpn context Default_context
ssl authenticate verify all
no inservice
end
07-28-2009 03:06 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: