local access to the network when connected through vpn

Unanswered Question
Apr 26th, 2011

hello,

         although I am connecting by using to the cisco vpn client and obtaining an ip address 192.168.1.x I am still unable to access machines on the remote network and ping replies are replied back from the wan address of the 1721 router. I want to remote desktop and telnet the router on the remote network. config below...

Current configuration : 3570 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dslrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.IXf$fxnP7T0nXOxXydiTOTLX30
!
aaa new-model
!
!
aaa authentication login AAA-VPN local
aaa authorization network AAA-VPN local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.10.0 192.168.10.10
ip dhcp excluded-address 192.168.20.2
!
ip dhcp pool vlan10-Pool
   network 192.168.10.0 255.255.255.0
   domain-name home.local
   dns-server 194.158.37.196
   default-router 192.168.10.2
!
ip dhcp pool vlan10-pool
!
ip dhcp pool vlan20-pool
   network 192.168.20.0 255.255.255.0
   dns-server 194.158.37.196
   default-router 192.168.20.2
!
ip dhcp pool vlan1-pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.2
   dns-server 194.158.37.196
!
!
ip name-server 194.158.37.196
vpdn enable
!
!
!
!
!
username admin privilege 15 password 7 04570A0216285E4B0D
username and password 7 151E0A081D2325362D37
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnall
key xxxxxxxxxx
dns 192.168.1.2
pool VPNALLPOOL
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 3des-sha
reverse-route
!
!
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
no ip address
ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0.20
encapsulation dot1Q 20
ip address 192.168.20.2 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Dialer1
description ***Outside***
ip address negotiated
ip mtu 1450
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxx password 7 101C584D5743405A54
crypto map vpn
!
ip local pool VPNALLPOOL 192.168.1.180 192.168.1.190
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
ip nat inside source route-map RM-POLICY-NAT interface Dialer1 overload
!
ip access-list extended ACL-POLICY-NAT
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended acl_firewall
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
!
route-map RM-POLICY-NAT permit 10
match ip address ACL-POLICY-NAT
!
!
control-plane
!
!
line con 0
password 7 000812021D5205140A25
line aux 0
line vty 0 4
password 7 011F07004202081D2448
!
end

Thank You !

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
kasiva_1987 Tue, 04/26/2011 - 05:13

Hi,

Please change the VPN pool Address. It should not be already configured in the Remote network. Already Fa 0.1 is using the same subnet.

Try something like below.

ip local pool VPNALLPOOL 192.168.2.180 192.168.2.190

Do rate helpful post.

Thanks,

Kasi.

aconticisco Tue, 04/26/2011 - 05:35

Hello,

I changed the VPNALLPOOL as suggested and now I am obtaining an ip address in the 192.168.2.x range but should I create a subinterface on the ethernet 0 of the router in that range as well so as to connect to it from the remote pc. How can I connect to the other machines on the remote network on different vlans ? Basically now I got a different ip address in the 192.168.2.x range but still with no access...

Thank You !

kasiva_1987 Tue, 04/26/2011 - 05:49

Hi,

If you simply have the below topology then everything works fine. Try access and let me know.

Remote Laptop<---Internet--->VPN Router<---->Local Lan 1 & 2

If you have topology like below. Then You have to tell RTR2 and 3 to how to reach the subnet 192.168.2.0 through VPN Router either through static route or through any IGP.

Remote Laptop<---Internet--->VPN Router<---->RTR2<----->RTR3

Do rate helpful post.

Thanks,

Kasi

aconticisco Tue, 04/26/2011 - 06:21

Yes I have  Remote Laptop<---Internet--->VPN Router<---->Local Lan 1 & 2

however what ip I need to access to telnet the router once connected since there is no ip within that range

neither ping to the remote network hosts is not working.

Thanks !

kasiva_1987 Tue, 04/26/2011 - 06:41

You have configured full tunnel. So you can use any IP address configured in the Router.

192.168.1.2 or 192.168.10.2 or 192.168.20.2

Thanks,

Kasi.

aconticisco Tue, 04/26/2011 - 08:22

unfortunately while connected to the vpn the only IP that replies back is the 192.168.10.2 and replies back from the external IP. However still telnet is not working when trying with that IP. There must be some configuration needed what do you think ?

kasiva_1987 Tue, 04/26/2011 - 08:41

Try this. Problem is with the NAT. Subnet should be denied.

ip access-list extended ACL-POLICY-NAT

deny ip any 192.168.2.0 0.0.0.255 <------------------
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any

Thanks,

Kasi

Message was edited by: Kasiraman S

aconticisco Tue, 04/26/2011 - 22:14

after updating the access-list I can ping the 192.168.1.2 and the 192.168.20.2 interfaces getting a reply from the wan address however I am still unable to telnet to the above addresses or connect to machines on the remote network.

aconticisco Wed, 04/27/2011 - 22:30

I have excluded the vpn traffic from the NAT however I am still unable to telnet the router or RD remote machines when connected to the vpn, any ideas pls ?

geert.reijnders Wed, 04/27/2011 - 23:41

A long time ago I had this same issue. I thought I had to adjust the MTU size. On your dialer interface it is 1450

aconticisco Thu, 04/28/2011 - 20:58

you mean adjust the MTU on the client side or of the Dialer 1 interface ?

What do you recommend as MTU size?

Thanks !

thotsaphon Fri, 04/29/2011 - 00:01

Hi,

   Please post your current configuration. This would be a NAT issue.

HTH,

Toshi

geert.reijnders Fri, 04/29/2011 - 00:05

I adjusted the MTU size on the dialer interface. I don't know what the value was I changed it to. But it was lower as 1450.

Met vriendelijke groet,

Client ICT Groep

Geert Reijnders

aconticisco Wed, 05/04/2011 - 21:43

Hello,

unfortunately now it is even worst as I cannot even connect to the vpn   error:

*Mar  1 04:42:44.603: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar  1 04:42:44.603: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar  1 04:42:44.603: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 65535 policy
*Mar  1 04:42:44.607: ISAKMP:      encryption 3DES-CBC
*Mar  1 04:42:44.607: ISAKMP:      hash MD5
*Mar  1 04:42:44.607: ISAKMP:      default group 2
*Mar  1 04:42:44.607: ISAKMP:      auth pre-share
*Mar  1 04:42:44.607: ISAKMP:      life type in seconds
*Mar  1 04:42:44.607: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

on the client end I get message:

The remote peer is no longer responding and no prompt for authentication is shown

Actions

Login or Register to take actions

This Discussion

Posted April 26, 2011 at 5:08 AM
Stats:
Replies:14 Avg. Rating:
Views:682 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard

Rank Username Points
1 16,074
2 9,213
3 8,197
4 7,562
5 7,543