×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 806 & Client VPN

Unanswered Question
Mar 23rd, 2002
User Badges:

Hi All,


I'm new to Cisco so a little help would be great.


I just purchased an Cisco 806 Broadband Router. I've added the Firewall/3Des IOS to this router.


Before the upgrade I was able to use the Cisco VPN client from a Windows PC to connect to my office.


After the IOS upgrade I can connect but can no longer receive packets after connecting.


If I go back to the IP IOS it all works fine... so I'm thinking it must be a rule or something...


Any Suggestions?



Thanks!


Stefan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srittenberg Sat, 03/23/2002 - 17:00
User Badges:

I assume this is what happened if you have not configure the vpn on the 800 router in coordination with your PIX person at work. You were using VPN client software to connect to work, after install firewall feature on 800 router, you didn't establish the ipsec tunnel with the other end (office), either with the VPN 3000 concentrator or with PIX. you need to establish the ipsec tunnel, setup crypto ipsec policy, crypto map, preshare key, set peer...... all that.. You need to work with your security person at work to get the at the least transform-set and preshare key, and go from there. if you could create an ipsec tunnel with the office, you don't need to use the VPN client anymore.


does this help?

stefanbuchman Sat, 03/23/2002 - 17:05
User Badges:

Thanks for the help... but what I'm trying to do is get the VPN client working again from a PC behind this router.


This seems to have something to do with the Firewall features added by the IOS.


Any other tips?

srittenberg Sat, 03/23/2002 - 17:13
User Badges:

so you didn't do anything on the router like crypto isakmp enable, and apply crypto may to the outside interface or apply any access-list? you just install the firewall feature set on the router and nothing else?


do show access-list; show crypto map ipsec transform-set, show crypto map, does it show it will negotiate: tunnel, and any transform set, and any isakmp policy applied to any interface?


stefanbuchman Sat, 03/23/2002 - 17:15
User Badges:

I did't do anything else... I just upgraded the IOS and couldn't use the VPN client anymore...


Is there anything I should be adding to the config file to support the VPN client?


Thanks!

srittenberg Sat, 03/23/2002 - 17:31
User Badges:

hmmm, I am not sure now. perhaps someone else could pick this up. I have never installed the firewall feature on the router and not using it. But I do know this, you do not need to setup the VPN client support on the router because the VPN client (your pc) is trying to establish ipsec with the office. May be your router is not letting the isakmp through, you could try add the access-list, isakmp use udp port 500, ah use protocol 51 and esp use protocol 50. so you may try to add permit ahp;esp; udp eq isakmp.


do you need help on the access-list?

stefanbuchman Sat, 03/23/2002 - 17:35
User Badges:

Would it be possible to give me the exact command you think I should run?


Thanks!

srittenberg Sat, 03/23/2002 - 17:44
User Badges:

sure:

access-list 101 permit ahp host x.x.x.x host y.y.y.y (x.x.x.x is the peer ip which is your office PIX outside interface ip, this is the same IP your vpn client uses to connect to the office, y.y.y.y is your router's outside interface ip)

access-list 101 permit esp host x.x.x.x host y.y.y.y

access-list 101 permit udp x.x.x.x host y.y.y.y eq isakmp

access-list 101 permit ip (remote network to your home network or your host)


interface outside_interface (I'm not which one you use, I assume this is an ethernet interface, so may be e0/1....)

ip access-group 101 in


the best way may be to setup the ipsec tunnel with work, it's not hard, you just need to get the info. from your company security person. You may use the vpc client when you on the road, and use your router firewall when you at home.

stefanbuchman Sat, 03/23/2002 - 18:23
User Badges:

Thanks...


I tried it.. but no go... still the same issue...


I can connect... I see packets going out...


But nothing coming in.



Stefan

srittenberg Sat, 03/23/2002 - 18:34
User Badges:

I am not sure now. Let's see if someone else could help out on this. My experence has been site to site vpn and pix to vnp client, I haven't run into issues like this where the end user has a IOS firewall at home. I am sure others will have some good sugguestions.


good luck

Actions

This Discussion