06-19-2008 02:59 PM - edited 02-21-2020 03:47 PM
Having an issue trying to get the mobile vpn to work on 3825 ISR. Router itself has 2 connections to the Internet and is using PBR. I am trying to connect to the interface on the router that is not the default outbound int, it is the interface where the PBR traffic goes for internet connectivity.
My VPN connection comes up just fine but in the statistics I don't see any traffic being received.
I'm guessing this is an issue with the PBR.
If anyone has any advice that would be great. Below is a the relevant portions of my config
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW http
ip inspect name SDM_LOW gdoi
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name SDM_LOW ssp
ip inspect name SDM_LOW pptp
ip inspect name SDM_LOW l2tp
ip inspect name SDM_LOW gtpv0
ip inspect name SDM_LOW gtpv1
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
crypto isakmp client configuration group VPN-Group
key **
dns 10.73.4.4
pool SDM_POOL_2
include-local-lan
max-users 1
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA2
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
nterface GigabitEthernet0/0
Internal
ip address 10.160.0.3 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip policy route-map pbr-Internal
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
service-policy input mark-inbound
service-policy output shape-all
!
interface GigabitEthernet0/1
description Internet to Checkpoint FW
ip address 10.160.207.2 255.255.255.248
ip policy route-map Internal
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
!
interface FastEthernet0/3/0
switchport access vlan 144
no cdp enable
interface Vlan144
description Ext
ip address ********** 255.255.255.240
ip access-group 125 in
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ntp disable
crypto map SDM_CMAP_1
ip local policy route-map internet-redirect-rmap
ip local pool SDM_POOL_2 192.168.5.3
ip classless
ip route 0.0.0.0 0.0.0.0 10.160.207.1
ip route 10.3.224.0 255.255.248.0 10.160.0.4
ip route 10.3.232.0 255.255.248.0 10.160.0.4
ip route 10.71.0.0 255.255.0.0 10.160.0.2
ip route 10.72.0.0 255.255.0.0 10.160.0.4
ip route 10.73.0.0 255.255.0.0 10.160.0.4
ip route 10.74.0.0 255.255.0.0 10.160.0.2
ip route 10.160.1.0 255.255.255.0 10.160.0.2
ip route 10.160.2.0 255.255.255.0 10.160.0.4
ip route 10.160.3.0 255.255.255.0 10.160.0.4
ip route 10.160.207.24 255.255.255.248 10.160.0.4
ip route 10.160.207.32 255.255.255.248 10.160.0.4
ip route 10.160.207.40 255.255.255.248 10.160.0.4
ip route 10.161.0.0 255.255.248.0 10.160.0.4
ip route 10.161.16.0 255.255.248.0 10.160.0.4
ip route 10.161.24.0 255.255.248.0 10.160.0.4
ip route 10.161.207.16 255.255.255.248 10.160.0.2
ip route 10.254.246.2 255.255.255.255 10.254.240.1
ip nat pool OutNat XXXX XXXX netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_1 pool OutNat overload
06-24-2008 02:27 AM
Hello
I have similar problem - difference is just in using PPTP instead of VPN client but basicaly it is the same setup.
Simply ip local policy doesn't work when you have some encrypted traffic.
Can you post your configuration for the internet-redirect-rmap route map.
I have tried with match gre protocols and ports 1723 for pptp but it simply doesn't work so I am wondering is this even feasible on cisco router.
Dusan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide