Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1723
Views
0
Helpful
5
Replies

VPN Configuration on Cisco 2621

bbellamy
Level 1
Level 1

‎02-05-2003 11:30 AM - edited ‎02-20-2020 10:32 PM

Can anyone help with this strange problem I'm having with

configurating VPN on the Cisco. I can connect with the Cisco Client

succesfuly, but I can only telnet to the devices which are not in

access list 101:

access-list 101 permit ip 10.3.200.0 0.0.0.255 any

access-list 101 permit ip 10.3.100.0 0.0.0.255 any

route-map NIC permit 5

match ip address 101

set default interface FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

The interfaces are configured as below and we're using NAT.

interface FastEthernet0/0

ip address 10.3.1.1 255.255.0.0

ip nat inside

ip policy route-map NIC

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address XXX.XXX.XXX.XXX 255.255.255.192

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

Is NAT causing the problem???

0 Helpful
5 Replies 5

gmiiller
Level 1
Level 1

‎02-06-2003 01:52 PM

I'm not entirely sure what you're trying to do with your policy route-map. So I'll just cover off on my understanding of what your policy routing is accomplishing.

First, I'm never a fan of default routes referring to ethernet interfaces, as you usually end up with a huge arp cache wasting router resources.

Now, for your policy routing, remembering that your default route is fast 0/1.

Your policy route says " If traffic is coming from 10.3.100.0 or 10.3.200.0, and you don't have a route for the destination, use interface fast 0/1"

Your default route would have accomplished this anyway. Are there more entries in your route-map? What is it that your route-map is supposed to do?

0 Helpful

bbellamy
Level 1
Level 1
In response to gmiiller

‎02-07-2003 01:38 AM

Thanks for your reply, I have included a more detail config below to help further. The route map is configured for connections to Fast 0/0, and if they match the address in 101 then use the Fast 0/1.

When I connect via the cisco VPN client, I connect successfully but can only contact the system who are not specified in 101. How can I modify the config so I can conntact the systems in the 101 poilcy via VPN?

Here's a more detailed config which should help:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXXXX

key XXXXXX

pool nicvpnpool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

isdn switch-type basic-net3

isdn voice-call-failure 0

!

mta receive maximum-recipients 0

!

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description Kingston Internet

ip address 21X.X.X.X 255.255.XXX.XXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent

no ip http server

!

access-list 101 remark Internet

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

!

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

!

radius-server authorization permit missing Service-Type

no call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

banner login

########################################

# #

# #

# #

# #

# UNAUTHORISED ACCESS PROHIBITED #

########################################

!

line con 0

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXX

!

!

end

0 Helpful

gmiiller
Level 1
Level 1
In response to bbellamy

‎02-10-2003 10:00 PM

Suggest that you look at reverse route injection on your crypto.

0 Helpful

bbellamy
Level 1
Level 1
In response to gmiiller

‎02-10-2003 11:39 PM

Sorry but I dont have much cisco experience - How can I achive this (reverse route injection on your crypto)?

Kind Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card