cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
0
Helpful
2
Replies

ezvpn configuration

Arup Dutta
Level 1
Level 1

Hi,

The router is performing PAT for internet access and I'm trying to enable it as an EZVPN server Using the Cisco VPN client, I'm able to connect it and bring up the tunnel. i can pass traffic by vpn and can ping the local device but cant access it by RDP.

please suggest me.

User Access Verification

Username:
Password:

Router#sho run
Building configuration...

Current configuration : 6435 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$4Pcy$V0KWLPKy5/GW/4ItWVooR0
enable password 7 05080F1C22431B5D4A
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login viking_client_india local
aaa authorization exec default local
aaa authorization network viking_client_india local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3568720321
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3568720321
revocation-check none
rsakeypair TP-self-signed-3568720321
!
!
crypto pki certificate chain TP-self-signed-3568720321
certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353638 37323033 3231301E 170D3039 30323038 30343432
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35363837
  32303332 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009A4D 046918DB 53A18A29 7027920E D4EE15B8 342DD4A3 2F4C9FB1 D6EC01E2
  6ECD5A63 1844B147 72A024CB F95526F6 E2A0C212 0495C1F1 D0643420 C694FCDF
  D0C8DC64 D011E938 BDBCE22A A042802D A2B3E913 A7F0D459 034C90F2 6761DF40
  92A463E0 10EA258E 12C70CA5 25C485D2 42C3F09E B8ED14EC 2DCA58F6 785296B1
  B8F70203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 41623CBF
  E9F77DBD 254E6B12 7464C621 1174205B 301D0603 551D0E04 16041441 623CBFE9
  F77DBD25 4E6B1274 64C62111 74205B30 0D06092A 864886F7 0D010104 05000381
  8100856D 3FFC63DF A46C49BC CFD0495F 66F20D47 A117A01F BD1F0E98 397334C6
  519C3F41 F4D308DF AD4A7095 D6B39DF7 376EACF9 017DF07E 8E70F3B2 A5F29EFD
  EAE4FED6 53718BDD E12ABF98 7348B6B8 B9E2AF6F 19E5130D A1ABC24B 7DAC37B3
  288376D5 9CAE2859 9E028739 B59B2C58 65335375 09FC8D9A 6CA6C3D8 6AB5D5EC 7705
        quit
dot11 syslog
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 202.56.215.54
ip name-server 202.56.215.55
!
!
!
username  privilege 15 password 7 0610062A45400E260C1916020D
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp client configuration address-pool local VIKING_POOL_1
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group hw-viking-client
key hw-xxxxx-xxxx
dns 202.56.215.54 202.56.215.55
pool VIKING_POOL_1
acl 110
max-users 6
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-des esp-md5-hmac
!
crypto dynamic-map VIKING_INDIA_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map VIKING_INDIA_1 client authentication list viking_client
crypto map VIKING_INDIA_1 isakmp authorization list viking_client_india
crypto map VIKING_INDIA_1 client configuration address respond
crypto map VIKING_INDIA_1 65535 ipsec-isakmp dynamic VIKING_INDIA_1
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description *****AIRTEL WAN LINK******
ip address 122.x.x.x 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VIKING_INDIA_1
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VIKING_POOL_1 192.168.15.1 192.168.15.6
ip local pool VIKING_POOL_1 192.168.1.11 192.168.1.16
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 122.x.x.x
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.2 445 interface FastEthernet4 445
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any eq 3389
permit tcp any any
ip access-list extended Internet-inbounf-ACL
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark ** Permit Inbound IPSEC Traffic & Split Tunnel **
access-list 101 permit ip host 192.168.15.1 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.5 192.168.1.0 0.0.0.255
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
access-list 101 permit ip host 192.168.1.11 192.168.15.0 0.0.0.255
access-list 101 permit ip host 192.168.1.12 192.168.15.0 0.0.0.255
access-list 101 permit ip host 192.168.1.13 192.168.15.0 0.0.0.255
access-list 101 permit ip host 192.168.1.14 192.168.15.0 0.0.0.255
access-list 101 permit ip host 192.168.1.15 192.168.15.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip host 192.168.15.4 any
access-list 110 permit ip host 192.168.15.1 any
access-list 110 permit ip host 192.168.15.2 any
access-list 110 permit ip host 192.168.15.3 any
access-list 110 permit ip host 192.168.15.5 any
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community public RO
no cdp run
!
!
route-map nonat permit 10
match ip address 111
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 0610062A45400E260C1916020D
!
scheduler max-task-time 5000
end

Router#

i appratiate your help.

2 Replies 2

spremkumar
Level 9
Level 9

Hi Arup

From the config i suspect the RDP traffic to your vpn client is getting NATted since you don't have an exempt statement for that traffic configured under your nat statement.

You need to make sure that your RDP traffic from your server to the vpn client ip pool dont get natted.

below link discusses about similar kinda scenario.

http://www.booches.nl/2009/01/14/policy-nat-on-cisco-router/

regds

Hi,

i am able to ping my server ip from remote site but not Taking it by

RDP.

please help me out and give me your expensive suggestion.

waiting for your reply.

On Mon, May 17, 2010 at 2:25 PM, spremkumar <

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco