Solved: cisco VPN client to 2611XM VPN router

mljevakovic · ‎06-21-2003

I have Cisco 2611XM router on Central site with two FastEthernet interfaces?xa;(FastEthernet0/0 and FastEtherne0/1). FE0/0 has private ip address?xa;192.168.1.1/24 and it connects on LAN 192.168.1.0/24. FE0/1 has public?xa;address x.x.x.x/30 and its connects to Internet. On this router there is NAT?xa;with overload.?xa;This router has to give remote access clients with Cisco VPN client over?xa;Internet to LAN and in the same time local users access to Internet.?xa;I have made a config which establish tunnel between clients and router but?xa;I can not ping any devices on local LAN.?xa;Also the router needs give access and remote LAN in site-to-site scenarios?xa;

I can establish tunnel between my PC and router via dial-up connection over Internet. But when the tunnel is established I cannot ping any public IP address except my public IP address on the router. I can ping any other Clients who has the ip address from the pool for the clients.

rjwalani · ‎06-22-2003

Adding the route-map nonat should not make you lose the connection to the router.

The commands that you'll need to put in are

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 101

You'll have to either clear the nat translations or take off the commands "ip nat outside" and "ip nat inside" temporarily while you are taking the following command off

no ip nat inside source list 7 pool internet overload

and add the command

ip nat inside source route-map nonat pool internet overload

Make sure you reapply the "ip nat inside" and "ip nat outside" commands back else your internal users will not be able to go out to the internet.

You can lookup this config in the link which Glenn has sent you -

http://www.cisco.com/warp/public/707/ios_D.html

I've pasted the lines which you should be looking at in the sample config below

!--- Except the private network and VPN Client traffic from the NAT process.

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

!--- Except the private network and VPN Client traffic from the NAT process.

route-map nonat permit 10

match ip address 110

--- Except the private network and VPN Client traffic from the NAT process.

ip nat inside source route-map nonat interface FastEthernet0/0 overload

Thanks

Ranjana

View solution in original post

gfullage · ‎06-22-2003

Sounds like you're not denying the crypto traffic from the NAT process. Keep in mind that NAT happens BEFORE encryption within the router, so if you're doing NAt overload, you need to stop the router from NAT'ing the IPSec traffic.

Here's a good example (http://www.cisco.com/warp/public/707/ios_D.html), showing a LAN-to-LAN tunnel and an older version of the client. check out the NAT commands in particular, and their reference to access-list 110. Access-list denies the NAT'ing of traffic from the local network to the L2L remote network and to the pool of address assigned to the VPN clients, but allows the NAT'ing of the local traffic if it goes anywhere else (to the Internet).

rjwalani · ‎06-22-2003

Hi,

Please find the answers to your queries

1. Access to your Internal network once the vpn tunnel is established

You'll have to make sure that the vpn traffic does not get NATed. You could create a route-map to bypass NAT

For example if you the client pool defined on your router is a 10.1.1.1 -10.1.1.x

and your internal network is 192.168.1.0/24 then you can configure the following

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat 10

match ip address 101

Change your nat statement to

ip nat inside source route-map nonat overload

if you have a nat pool defined replace the with the name else you need to define the interface.

2. Once tunnel is established you cannot ping any public address

You'll need to enable split tunnelling. The sample config can be found at

http://www.cisco.com/en/US/partner/netsol/ns110/ns170/ns171/ns27/networking_solutions_white_paper09186a0080186fcf.shtml

Thanks

Ranjana

mljevakovic · ‎06-22-2003

this is my config file

-------

Current configuration : 1863 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2611XM

!

enable secret 5 $1$CJ.F$XtuSBlPaR7kaMkGvRw.eK0

enable password xxxxx

!

username test password 0 test

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key cisco123

dns 192.168.1.100

domain cpn.vwg

pool ippool

acl 102

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

ip address xxx.yyy.zzz.www 255.255.255.252

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.100 10.1.1.200

ip nat pool internet xxx.yyy.zzz.www xxx.yyy.zzz.www prefix-length 30

ip nat inside source list 7 pool internet overload

ip classless

ip route 0.0.0.0 0.0.0.0 195.222.36.201

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip http server

!

access-list 7 permit 192.168.1.0 0.0.0.255

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

password proba

!

end

-------

I can establish tunnel and ping any clienet device who connects with VPN. (10.1.1.1xx) . Also I can ping 192.168.1.1 but I get replay from my public address xxx.yyy.zzz.www(?).

I tried with route-map nonat but when I put route-map nonat 10 (I configure router online) I lost my connection. So I am not sure it will resolve my problem.

pls look in my config and tell me what i have to do because it relly urgent.

thanks

rjwalani · ‎06-22-2003

Adding the route-map nonat should not make you lose the connection to the router.

The commands that you'll need to put in are

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 101

You'll have to either clear the nat translations or take off the commands "ip nat outside" and "ip nat inside" temporarily while you are taking the following command off

no ip nat inside source list 7 pool internet overload

and add the command

ip nat inside source route-map nonat pool internet overload

Make sure you reapply the "ip nat inside" and "ip nat outside" commands back else your internal users will not be able to go out to the internet.

You can lookup this config in the link which Glenn has sent you -

http://www.cisco.com/warp/public/707/ios_D.html

I've pasted the lines which you should be looking at in the sample config below

!--- Except the private network and VPN Client traffic from the NAT process.

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

!--- Except the private network and VPN Client traffic from the NAT process.

route-map nonat permit 10

match ip address 110

--- Except the private network and VPN Client traffic from the NAT process.

ip nat inside source route-map nonat interface FastEthernet0/0 overload

Thanks

Ranjana

mljevakovic · ‎06-23-2003

whena I try remove "no ip nat inside source list 7 pool internet overload "

I got the message: "Dynamic mapping in use, cannot remove"

(I put no ip nat inside and no ip nat outside)

mljevakovic · ‎06-23-2003

thanks a lot Ranjana

it works now

mljevakovic · ‎06-22-2003

sorry I've forgotten this line in config

access-list 102 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255