02-19-2003 11:42 AM - edited 02-21-2020 12:21 PM
Please can someone help, this is driving me crazy. I can successfully connect to my cisco 2621 via the cisco VPN client but can only contact the systems that dont have the default route set as 10.1.1.3.
How can I modify the config so I can contact the systems in the 101 poilcy via VPN? I know that NAT is causing the problem as when i debug a telnet session to 10.1.2.1 its being translated as 21X.X.X.X.
I'd be very grateful for the input,
Kind Regards,
Bryan
CONFIG:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXXXX
key XXXXXX
pool nicvpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
mta receive maximum-recipients 0
!
!
interface FastEthernet0/0
ip address 10.1.1.3 255.255.0.0
ip nat inside
ip policy route-map niclan
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Kingston Internet
ip address 21X.X.X.X 255.255.XXX.XXX
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
ip local pool nicvpnpool 10.2.1.1 10.2.1.254
ip nat translation timeout 119
ip nat inside source list 101 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent
no ip http server
!
access-list 101 remark Internet
access-list 101 permit ip 10.1.4.0 0.0.0.255 any
access-list 101 permit ip 10.1.3.0 0.0.0.255 any
!
route-map niclan permit 5
match ip address 101
set default interface FastEthernet0/1
!
radius-server authorization permit missing Service-Type
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner login
########################################
# #
# #
# #
# #
# UNAUTHORISED ACCESS PROHIBITED #
########################################
!
line con 0
exec-timeout 0 0
privilege level 0
password 7 XXXXXXXXXXXX
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 0 0
privilege level 0
password 7 XXXXXXXXXX
!
!
end
02-19-2003 05:02 PM
Hi there,
What you need to do is:
no ip nat inside source list 101 interface FastEthernet0/1 overload
interface FastEthernet0/0
no ip policy route-map niclan
then:
access-list 111 deny ip 10.1.4.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 111 deny ip 10.1.3.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 111 permit ip 10.1.4.0 0.0.0.255 any
access-list 111 permit ip 10.1.3.0 0.0.0.255 any
route-map nonat permit 10
match ip address 111
ip nat inside source route-map nonat interface FastEthernet0/1 overload
Hope that helps
Jazib
02-20-2003 11:42 PM
Many thanks, that kinda works but my Dialer was not working. He's a more detailed config. Many thanks in advance for your time.
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NIC-RTR2
!
enable secret 5 $1$XXXXXXXXXX//
!
username rtrXXXXX privilege 0 password 7 0XXXXXXX
username nicXXX password 7 0XXXXXXX
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip domain name nic.XXXXXXX
ip name-server 10.1.5.1
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group 56client
key cisco1111223
dns 10.1.5.1
domain nic.XXXXXX
pool nicvpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description NICLAN
ip address 10.20.1.5 255.255.0.0 secondary
ip address 10.1.1.3 255.255.0.0
ip nat inside
ip policy route-map niclan
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Kingston Internet
ip address 213.XXXXX 255.XXXXX
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface Serial0/1
no ip address
ip broadcast-address 0.0.0.0
shutdown
!
interface BRI1/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
!
interface BRI1/1
no ip address
ip broadcast-address 0.0.0.0
shutdown
isdn switch-type basic-net3
!
interface BRI1/2
no ip address
ip broadcast-address 0.0.0.0
shutdown
isdn switch-type basic-net3
!
interface BRI1/3
no ip address
ip broadcast-address 0.0.0.0
shutdown
isdn switch-type basic-net3
!
interface Dialer2
description ISDN to Demon
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 180
dialer string 08440416672
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password 7 1XXXXXXXXX2
ppp pap sent-username pXXX password 7 1XXXXXXX
!
ip local pool nicvpnpool 10.2.1.1 10.2.1.254
ip nat translation timeout 119
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 104 interface Dialer2 overload
ip nat inside source static tcp 10.1.5.1 25 interface Dialer2 25
ip classless
ip route 0.0.0.0 0.0.0.0 213.XXXXX permanent
ip route 10.150.0.0 255.255.0.0 10.1.1.1 permanent
ip route 139.85.104.0 255.255.255.0 10.1.1.20 permanent
ip route 139.85.128.0 255.255.255.0 10.1.1.20 permanent
ip route 172.22.0.0 255.255.0.0 10.1.1.20 permanent
no ip http server
!
!
ip access-list extended BRI1/0:1
ip access-list extended default-domain
ip access-list extended dns-servers
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended nicvpnpool
!
logging 10.1.2.1
access-list 2 remark Addresses permitted to telnet to NIC-RTR2
access-list 2 permit 10.1.3.0 0.0.0.255
access-list 2 permit 10.1.4.0 0.0.0.255
access-list 101 remark Kingston Internet
access-list 101 permit ip host 10.1.45.5 any
access-list 101 permit ip 10.1.4.0 0.0.0.255 any
access-list 101 permit ip 10.1.3.0 0.0.0.255 any
access-list 101 permit ip host 10.20.1.3 any
access-list 101 permit ip host 10.1.2.1 any
access-list 104 remark Addresses permitted to access Demon
access-list 104 permit ip host 10.20.1.2 any
access-list 104 permit ip host 10.1.5.1 any
access-list 111 deny ip 10.1.3.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 111 deny ip 10.1.4.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 111 deny ip host 10.1.2.1 10.2.1.0 0.0.0.255
access-list 111 deny ip host 10.1.45.5 10.2.1.0 0.0.0.255
access-list 111 deny ip host 10.20.1.3 10.2.1.0 0.0.0.255
access-list 111 permit ip 10.1.3.0 0.0.0.255 any
access-list 111 permit ip 10.1.4.0 0.0.0.255 any
access-list 111 permit ip host 10.1.2.1 any
access-list 111 permit ip host 10.1.45.5 any
access-list 111 permit ip host 10.20.1.3 any
dialer-list 2 protocol ip permit
!
route-map niclan permit 5
match ip address 101
set default interface FastEthernet0/1
!
route-map niclan permit 20
match ip address 104
set default interface Dialer2
!
radius-server authorization permit missing Service-Type
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner login
########################################
########################################
!
line con 0
exec-timeout 0 0
privilege level 0
password 7 0505091B32425D05
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 0 0
privilege level 0
password 7 1XXXXXXXX6
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide