03-20-2010 01:33 AM
Hello,
I have a Cisco 1801 router and recently I configure it as VPN server. I use a Cisco VPN client to connect and the VPN connection works just fine. But the problem is that I cannot access the resources behind the VPN server (the Cisc router) so the VPN tunnel is pointless at the moment. I looked over and over at the configuration and I don't see where the issue is. I hope someone can give he a hand with this. Here is my router configuration:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password passwordxxxxx
!
aaa new-model
!
!
aaa authentication login userAuthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
!
!
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool MYDHCPPOOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 87.216.1.65 87.216.1.66
!
!
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
username admin privilege 15 password 0 admin
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 87.216.1.65
domain selfip.net
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Vlan1
no ip address
!
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxxxxxx@xxx
ppp chap password 0 yyyyyyy
ppp pap sent-username xxxxxxx@xxx password 0 yyyyyyyy
crypto map clientmap
!
ip local pool ippool 192.168.50.100 192.168.50.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 788
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
!
!
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxxx 7
transport input telnet ssh
!
end
Thank you!
Solved! Go to Solution.
03-21-2010 04:03 PM
The deny statement needs to be above the permit statement on your ACL 101.
Currently you have the following:
access-list 101 permit ip any any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
I would suggest you configure the following:
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255
ip nat inside source list 102 interface Dialer1 overload
no ip nat inside source list 101 interface Dialer1 overload
Please clear the existing translation table so the new one takes effect:
clear ip nat trans *
Hope that helps.
03-22-2010 01:47 PM
Yes, you are missing the split tunnel for your vpn client configuration.
Here is for internet access from the vpn connection:
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
crypto isakmp client configuration group vpnclient
acl 110
You would need to disconnect if you are current connected to your VPN, and reconnect for the above settings to take effect.
Hope that helps.
03-20-2010 07:24 PM
You would need to configure NAT exemption for the VPN traffic.
Currently you have 2 NAT statements which serve the same purpose:
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 101 interface Dialer1 overload
I would recommend removing the first line as follows:
no ip nat inside source list 1 interface Dialer1 overload
And for the access list on the second line, add the following:
ip access-list extended 101
5 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
03-21-2010 09:31 AM
Thank you for your reply. Unfortunately it still doesn't work. Here are is the ACL after modiufications:
ip nat inside source list 101 interface Dialer1 overload
!
access-list 101 permit ip any any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
Any other suggestions?
Thank you!
03-21-2010 04:03 PM
The deny statement needs to be above the permit statement on your ACL 101.
Currently you have the following:
access-list 101 permit ip any any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
I would suggest you configure the following:
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255
ip nat inside source list 102 interface Dialer1 overload
no ip nat inside source list 101 interface Dialer1 overload
Please clear the existing translation table so the new one takes effect:
clear ip nat trans *
Hope that helps.
03-22-2010 11:27 AM
Hi,
Thank you for your post. That worked but now I don't have access to Internet when I am connected through VPN (before I could). So something else is missing. I will look through the configuration again but if you know why I have this issue I would love to hear your opinion.
Thank you!
03-22-2010 01:47 PM
Yes, you are missing the split tunnel for your vpn client configuration.
Here is for internet access from the vpn connection:
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
crypto isakmp client configuration group vpnclient
acl 110
You would need to disconnect if you are current connected to your VPN, and reconnect for the above settings to take effect.
Hope that helps.
03-22-2010 03:37 PM
That's it. It works !!!!!!!! Thank you very much for your help. I really appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide