VPN Connectivity

darren.crofts · ‎09-08-2009

Hello,

I have se-up a VPN connection to an 877, using Cisco VPN client. I am able to establishg a tunnel and can ping interface Vlan1 on the 877. There is a primary and seconday address on interface vlan 1 and the server that I need to RDP onto is on the secondary interface address. I am unable to ICMP to the server. Although from the router I can ICMP the server. I have tried many scenarios, currently the DHCP Pool for VPN clients is on the same subnet as the server.

Any ideas?

Darren

Collin Clark · ‎09-08-2009

Can you post the relevant crypto info from the router(s)?

darren.crofts · ‎09-08-2009

Hi Colin,

There you go..

Current configuration : 5621 bytes

!

boot-start-marker

boot system flash c870-advsecurityk9-mz.124-15.T9.bin

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

aaa authentication login userauthen local

aaa authorization exec default local

aaa authorization network groupauthor local

!

aaa session-id common

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.1.1 172.16.1.30

ip dhcp excluded-address 172.16.1.65 172.16.1.94

ip dhcp excluded-address 172.16.1.97 172.16.1.126

ip dhcp excluded-address 172.16.1.129 172.16.1.158

ip dhcp excluded-address 172.16.1.161 172.16.1.190

ip dhcp excluded-address 172.16.1.193 172.16.1.222

ip dhcp excluded-address 172.16.1.225 172.16.1.254

!

ip dhcp pool Test

network 172.16.1.0 255.255.255.0

dns-server 172.16.1.1

default-router 172.16.1.1

lease 3

!

ip domain lookup source-interface Vlan1

ip domain name yourdomain.com

ip host test 192.168.1.150

ip name-server 62.24.128.18

ip name-server 62.24.128.17

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group remoteaccess

key cisco321

dns 172.16.1.1

pool remoteaccess

!

crypto ipsec transform-set remoteaccess esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 5

set transform-set remoteaccess

reverse-route

!

crypto map remoteaccess client authentication list userauthen

crypto map remoteaccess isakmp authorization list groupauthor

crypto map remoteaccess client configuration address respond

crypto map remoteaccess 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

interface ATM0

no ip address

ip nat outside

ip virtual-reassembly

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description test LAN

ip address 192.168.1.1 255.255.255.0 secondary

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address x.x.x. x.x.x.x

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map VPN-Client

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname x.x.x.x

ppp chap password 0 x,x,x,

crypto map remoteaccess

!

ip local pool remoteaccess 192.168.1.225 192.168.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

ip route 62.24.128.18 255.255.255.255 Dialer0

ip route 172.16.1.50 255.255.255.255 Dialer0

ip route 172.16.1.224 255.255.255.224 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip dns spoofing 172.16.1.1

ip nat inside source list 103 interface Dialer0 overload

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit any log

access-list 101 permit ip any any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 0.0.0.0 255.255.255.248 any

access-list 102 permit ip 172.16.1.0 0.0.0.255 any

access-list 103 permit ip 172.16.1.0 0.0.0.255 any

access-list 103 permit ip 192.168.1.0 0.0.0.255 any

access-list 104 permit ip 172.16.1.224 0.0.0.31 any

access-list 104 permit ip host 10.1.1.10 any

access-list 104 permit ip host 172.16.1.50 any

access-list 104 permit ip 192.168.1.224 0.0.0.31 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map VPN-Client permit 10

match ip address 104

set interface Vlan1

Collin Clark · ‎09-08-2009

I don't see your crypto ACL, but does it include the secondary IP subnets?

darren.crofts · ‎09-08-2009

Hi Colin,

I have pasted all my config. I thought the router map would do the same thing as the crypto ACL as the interesting traffic.

Darren.

Collin Clark · ‎09-08-2009

cool, I've never used a route map for it. Anyway, you're encrypting all traffic to the remote site correct? The tunnel is up and working except for the secondary subnets correct?

darren.crofts · ‎09-08-2009

Hi Colin,

That's right. very weird problems.

Darren.

Collin Clark · ‎09-08-2009

Darren-

I need a day or two to lab it up and test. If you need this quicker than that, you might want to re-post or open a TAC case.