IOS VPN using VPN client = VPN and ping OK no traffic

hspaander · ‎07-31-2002

Hi there,

I currently setup an 826 (IOS (tm) C820 Software (C820-K8OSY6-M), Version 12.2(2)T4, RELEASE SOFTWARE (fc3)) ADSL connection to an ISP using NAT. I also configured some redirections (PAT) to the mail and web server on the internal LAN. Finally I want to add a "road worrior" using any ISP connecting via an IPsec VPN the internal LAN. VPN setup including key exchange finish smoothly and I can also ping the internal systems, all standard internal to external traffic also OK. But when I want to access systems on any ip protocol (telnet / ssh ...) I can access the internal systems. Hereby my simple config, give it a shot....

current config:

version 12.2

no parser cache

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname a213-84-19-156

!

logging rate-limit console 10 except errors

enable secret 5 $1$y/EK$wAisMWMGiTJ/1ZFyLTg.y.

enable password XXXXXX

!

ip subnet-zero

ip domain-name adsl.xs4all.nl

ip name-server 194.109.6.66

ip name-server 194.109.9.99

!

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

!

crypto isakmp policy 3

authentication pre-share

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local ourpool

!

crypto ipsec transform-set vpn-transform esp-des esp-md5-hmac

!

crypto dynamic-map vpn-dynamic 10

set transform-set vpn-transform

!

crypto map vpnclient client configuration address initiate

crypto map vpnclient client configuration address respond

crypto map vpnclient 10 ipsec-isakmp dynamic vpn-dynamic

!

interface Ethernet0

ip address 10.124.77.250 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

no keepalive

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

pvc 0 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username jtel@xs4all-fast-adsl password 7 030E4F0E0A5D70

crypto map vpnclient

!

ip local pool ourpool 10.124.78.1 10.124.78.254

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 10.124.77.55 443 <ip internet> 443 extendable

ip nat inside source static tcp 10.124.77.55 80 <ip internet> 80 extendable

ip nat inside source static tcp 10.124.77.55 22 <ip internet> 22 extendable

ip nat inside source static tcp 10.124.77.55 10000 <ip internet> 10000 extendabl

e

ip nat inside source static tcp 10.124.77.55 25 <ip internet> 25 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

no ip http server

!

access-list 100 permit ip any any

access-list 105 deny ip 10.124.77.0 0.0.0.255 10.124.78.0 0.0.0.255

access-list 105 permit ip 10.124.77.0 0.0.0.255 any

access-list 105 permit ip 10.124.78.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 105

!

snmp-server engineID local 000000090200000427FCDCCE

snmp-server community public RO

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

exec-timeout 0 0

password xxxxx

login

!

scheduler max-task-time 5000

end

hspaander · ‎07-31-2002

Small type mistake:

standard internal to external traffic also OK. But when I want to access systems on any ip protocol (telnet / ssh ...) I can not! access the internal systems. Hereby my simple config, give it a shot....

Thanks so far..