Easy VPN server on Cisco 857 not working for remote desktop client

Unanswered Question
Nov 24th, 2009

Hi All,

Long time reader, first time poster here.  I have configured a Cisco 857 for internet access and as a remote Easy VPN Server.  The internet portion works fine, however I am having difficulty getting my Easy VPN Remote desktop client to connect propperly.

The remote client can authenticate and connect without difficulty.  It is issued an ip from the address pool that I have specified.  However, ping only works on a hap-hazard basis and when I do get a reply, the reply is from the outside interface, not from the ip address I specified.  An ipconfig on the remote PC shows that I have been issued an IP address from the VPN Pool, but no default gateway.  tracert shows that the next hop router is the interface of the Cisco 857 router acting as an Easy VPN server.  But if I tracert another internal IP address, it is simply lost with nowhere to go.

I have gone through countless examples and troubleshooting.  However there is something here that I am just missing.

I want my remote desktop pc, to become part of the inside network.

Points to note:

Internal IP address subnet 192.168.1.0 / 24

Default-router                    192.168.1.253

VPN Pool subnet              192.168.99.10 to 192.168.99.20

Configuration shown below and attached.

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ****Sydney

!

boot-start-marker

boot-end-marker

!

logging buffered 16000

no logging console

enable secret 5 *****

!

aaa new-model

!

!

aaa authentication login ezvpnauth local

aaa authorization network ezvpnnetwork local

!

!

aaa session-id common

clock timezone cst 10

clock summer-time cdt recurring

!

crypto pki trustpoint TP-self-signed-3889388268

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3889388268

revocation-check none

rsakeypair TP-self-signed-3889388268

!

!

crypto pki certificate chain TP-self-signed-3889388268

certificate self-signed 01

  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33383839 33383832 3638301E 170D3032 30333031 30303139

  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383933

  38383236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  810097D7 8B3DB947 C303E99F 0488EDCF A1C309EC BC899416 B6F0ACFB EF333A1C

  7E6DDBBB F7FC2F62 50A28EC8 8AF0990F 3153F868 9F3E45B7 85291FDA 593E4F44

  6C1C0740 08847090 9ED7EC04 2E08307C 149088AD 58EE21AD F3C14728 46F4772D

  A9545A3A 582DAEBA EB60EDA7 1AB05EFE C8D34759 4A442C1D 29BFBC00 53778D86

  772D0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06

  03551D11 04253023 82214869 746F7271 75655379 646E6579 2E646972 6563742E

  74656C73 7472612E 6E657430 1F060355 1D230418 30168014 D3C9F440 91F5B2B1

  94422CC6 218578CD 6B0733EC 301D0603 551D0E04 160414D3 C9F44091 F5B2B194

  422CC621 8578CD6B 0733EC30 0D06092A 864886F7 0D010104 05000381 81008D66

  EA3B530A 852A5227 1BF23893 6DE80182 D3C615C6 9CA46F3A CE5B49A1 4B157DC9

  13547593 AE978AF3 13959457 7FE27305 C2EAC2EC 782FD287 FA797C37 16DA63F3

  47439441 3BF89EFA 72D055A0 70CB7211 13440993 A6F5D3F0 41F1B08D AF53E380

  10D0A0EE BD9CC865 42B05AF8 85B76313 CB79FD9A 27F8ECBD 9B22FEE3 E468

        quit

dot11 syslog

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.253

!

ip dhcp pool CUSTOMER_LAN_POOL

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.253

   dns-server 203.50.2.71 139.130.4.4

!

!

ip cef

no ip bootp server

ip domain name direct.telstra.net

ip name-server 203.50.2.71

ip name-server 139.130.4.4

!

!

!

username admin privilege 15 secret 5 ****

username chris privilege 15 password ****

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

group 2

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group EZVPNgroup

key cisco123

pool ezvpnpool

acl SPLIT_TUNNEL

max-logins 5

netmask 255.255.255.0

!

!

crypto ipsec transform-set ezvpn_transform esp-3des esp-sha-hmac

!

crypto dynamic-map ezvpn-dymap 1

set transform-set ezvpn_transform

reverse-route

!

!

crypto map MYCMAP client authentication list ezvpnauth

crypto map MYCMAP isakmp authorization list ezvpnnetwork

crypto map MYCMAP client configuration address respond

crypto map MYCMAP 65535 ipsec-isakmp dynamic ezvpn-dymap

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

description CUSTOMER_LOCAL_LAN

ip address 192.168.1.253 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

!

interface Vlan2

no ip address

no ip route-cache cef

!

interface Dialer0

description ADSL Link FNN N****R

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 ****

crypto map MYCMAP

!

ip local pool ezvpnpool 192.168.99.10 192.168.99.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

ip http access-class 22

ip http authentication local

ip http secure-server

ip nat inside source list 22 interface Dialer0 overload

!

ip access-list extended SPLIT_TUNNEL

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.99.0 0.0.0.255 any

!

access-list 22 permit 192.168.1.0 0.0.0.255

no cdp run

!

control-plane

!

banner login ^C

***********************************************************************

* Access to this computer system is limited to authorised users only. *

* Unauthorised users may be subject to prosecution under the Crimes   *

*                       Act or State legislation                      *

*                                                                     *

* Please note, ALL CUSTOMER DETAILS are confidential and must         *

*                         not be disclosed.                           *

***********************************************************************

^C

!

line con 0

no modem enable

transport output all

line aux 0

transport output all

line vty 0 2

access-class 22 in

exec-timeout 20 0

transport input telnet

line vty 3 4

access-class 22 in

exec-timeout 20 0

transport input ssh

!

scheduler max-task-time 5000

end

****Sydney#

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content