cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1900
Views
0
Helpful
6
Replies

VPN connecion works but cannot access resources behind VPN server

CSCO11058275
Level 1
Level 1

Hello,

I have a Cisco 1801 router and recently I configure it as VPN server. I use a Cisco VPN client to connect and the VPN connection works just fine. But the problem is that I cannot access the resources behind the VPN server (the Cisc router) so the VPN tunnel is pointless at the moment. I looked over and over at the configuration and I don't see where the issue is. I hope someone can give he a hand with this. Here is my router configuration:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0

enable password passwordxxxxx

!

aaa new-model

!

!

aaa authentication login userAuthen local

aaa authorization network groupauthor local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1279712955

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1279712955

revocation-check none

rsakeypair TP-self-signed-1279712955

!

!

crypto pki certificate chain TP-self-signed-1279712955

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.10

!

ip dhcp pool MYDHCPPOOL

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 87.216.1.65 87.216.1.66

!

!

ip cef

ip name-server 87.216.1.65

ip name-server 87.216.1.66

ip ddns update method mydyndnsupdate

HTTP

add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 1 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

username admin privilege 15 password 0 admin

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp fragmentation

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 87.216.1.65

domain selfip.net

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map clientmap client authentication list userAuthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

!

!

!

!

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Vlan1

no ip address

!

interface Dialer1

ip ddns update hostname myserver.selfip.net

ip ddns update mydyndnsupdate host members.dyndns.org

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map VPN-Client

dialer pool 1

ppp chap hostname xxxxxxx@xxx

ppp chap password 0 yyyyyyy

ppp pap sent-username xxxxxxx@xxx password 0 yyyyyyyy

crypto map clientmap

!

ip local pool ippool 192.168.50.100 192.168.50.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 788

ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 101 permit ip any any

access-list 144 permit ip 192.168.50.0 0.0.0.255 any

!

!

!

!

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.11.0.2

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password xxxxxxx 7

transport input telnet ssh

!

end

Thank you!

2 Accepted Solutions

Accepted Solutions

The deny statement needs to be above the permit statement on your ACL 101.

Currently you have the following:

access-list 101 permit ip any any
access-list 101 deny   ip  192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255

I would suggest you configure the following:

access-list 102 deny   ip  192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.0.255


ip nat inside source list 102 interface Dialer1 overload

no ip nat inside source list 101 interface Dialer1 overload

Please clear the existing translation table so the new one takes effect:

clear ip nat trans *

Hope that helps.

View solution in original post

Yes, you are missing the split tunnel for your vpn client configuration.

Here is for internet access from the vpn connection:

access-list 110 permit ip  192.168.0.0 0.0.0.255 192.168.50.0  0.0.0.255

crypto isakmp client configuration group vpnclient

     acl 110

You would need to disconnect if you are current connected to your VPN, and reconnect for the above settings to take effect.

Hope that helps.

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure NAT exemption for the VPN traffic.

Currently you have 2 NAT statements which serve the same purpose:

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source list 101 interface Dialer1 overload

I would recommend removing the first line as follows:

no ip nat inside source list 1 interface Dialer1 overload

And for the access list on the second line, add the following:

ip access-list extended 101

     5 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255

Thank you for your reply. Unfortunately it still doesn't work. Here are is the ACL after modiufications:

ip nat inside source list 101 interface Dialer1 overload
!
access-list 101 permit ip any any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any

Any other suggestions?

Thank you!

The deny statement needs to be above the permit statement on your ACL 101.

Currently you have the following:

access-list 101 permit ip any any
access-list 101 deny   ip  192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255

I would suggest you configure the following:

access-list 102 deny   ip  192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.0.255


ip nat inside source list 102 interface Dialer1 overload

no ip nat inside source list 101 interface Dialer1 overload

Please clear the existing translation table so the new one takes effect:

clear ip nat trans *

Hope that helps.

Hi,

Thank you for your post. That worked but now I don't have access to Internet when I am connected through VPN (before I could). So something else is missing. I will look through the configuration again but if you know why I have this issue I would love to hear your opinion.

Thank you!

Yes, you are missing the split tunnel for your vpn client configuration.

Here is for internet access from the vpn connection:

access-list 110 permit ip  192.168.0.0 0.0.0.255 192.168.50.0  0.0.0.255

crypto isakmp client configuration group vpnclient

     acl 110

You would need to disconnect if you are current connected to your VPN, and reconnect for the above settings to take effect.

Hope that helps.

That's it. It works !!!!!!!! Thank you very much for your help. I really appreciate it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: