06-03-2003 04:40 PM - edited 03-09-2019 03:31 AM
Hi All,
I have a Cisco 1721 Router configured as an EzVPN Server and trying to connect using a Cisco 3.6.3 VPN Client.
The problem is that i get connected fine and also get a IP Address. The remote Subnet also appears in my Cisco Client , however i cannot ping etc any other device on the Remote Subnet (i.e. connected to Cisco 1721).
Setup is
172.28.2.x---Cisco 1721----Public IP Address-----Cisco Client
IP Pool=172.28.5.x
Relevant 1721 Config is
hostname naman-router
!
!
username naman secret 5 xxxxxxxxx
clock timezone PST -8
clock summer-time PDT recurring
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network mylist local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name xxxx.com
crypto isakmp policy 1
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp client configuration address-pool local mypool1
!
crypto isakmp client configuration group yyyyyy
key xxxxx
dns 172.28.2.10
wins 172.28.2.10
domain xxxxx.com
pool mypool1
acl 121
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto dynamic-map mymap 1
set transform-set myset1
reverse-route
!
!
crypto map mymap client authentication list default
crypto map mymap isakmp authorization list mylist
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap
!
!
!
!
interface Ethernet0
ip address x.x.x.x 255.255.255.192
no ip redirects
half-duplex
no cdp enable
crypto map mymap
!
interface FastEthernet0
ip address 172.28.2.1 255.255.255.0
no ip proxy-arp
speed auto
!
ip local pool mypool1 172.28.5.1 172.28.5.100
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
!
access-list 121 permit ip 172.28.2.0 0.0.0.255 any
!
!
!
06-03-2003 06:05 PM
You're missing the group authorization AAA list reference (actually I'm surprised you get connected without it). Add:
> aaa authorization network mylist local
This references your:
> crypto map mymap isakmp authorization list mylist
command. I would also change:
> access-list 121 permit ip 172.28.2.0 0.0.0.255 any
to:
> access-list 121 permit ip 172.28.2.0 0.0.0.255 172.28.5.0 0.0.0.255
06-05-2003 08:15 AM
> aaa authorization network mylist local was already there in the script, as you can see from the above posted config.
However i was going through a Static Mapping through a PIX firewall and wasn't allowing in-coming ESP packets, so it was a mis-configuration on my part. It works now.
Thanks \\ Naman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide