Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client 3.x with Cisco 831

Im trying to setyup VPN. This is our setup

Internet----Router(A)------PIX---(DMZ)----Router(B)-------Switch(LAN)-------

-Router(C)------Access-Point-------Laptop

I have setup Router C as a VPN router so users using the internal wireless

network can access our internal LAN via VPN. VPN connection is established

using cisco client 3.x, however the laptop is not able to ping any internal

host nor access the internet. Here is an ex. of my config

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip domain name x.x.x.x.x

ip dhcp excluded-address x.x.x.x.x

!

ip dhcp pool SERVER

network x.x.x.x.x.0 255.255.255.0

domain-name x.x.x.x.x

dns-server x.x.x.x.x x.x.x.x.x

default-router x.x.x.x.x

lease infinite

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN-GROUP

key password

dns x.x.x.x.x x.x.x.x.x

pool ippool

acl 108

!

!crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

ip address x.x.x.x.x 255.255.255.0

no cdp enable

hold-queue 100 out

!

interface Ethernet1

ip address x.x.x.x.x 255.255.255.0

crypto map clientmap

!

ip local pool ippool x.x.x.x.x.100 x.x.x.x.x.110

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x.x

ip route x.x.x.x.x 255.255.255.0 x.x.x.x.x

ip route x.x.x.x.x 255.255.255.0 x.x.x.x.x

ip route x.x.x.x.x 255.255.255.0 x.x.x.x.x

ip route x.x.x.x.x 255.255.255.0 x.x.x.x.x

no ip http server

!

!ip access-list extended inacl

!

access-list 108 permit ip x.x.x.x. 0.0.0.255 x.x.x.x. 0.0.0.255

WIthout VPN, users can access internet and the LAN, however we would prefer

if the VPN for more security. Any suggestions?

Thank you.

1 REPLY
Cisco Employee

Re: VPN Client 3.x with Cisco 831

It's a little hard to tell from your config, but you say that it works without the VPN. Once the VPN packet's are unencrypted and placed on the internal network, the only difference between them and between a non-encrypted packet will be the source address. The VPN packets will look like they've come from an address in your VPN pool (x.x.x.x.x.100 x.x.x.x.x.110), so you need to make sure that RouterB and the PIX have routes for these hosts that eventually point back to RouterC. To get through to the Internet also, the PIX will need a static or a nat/global pair that references this pool of addresses also.

81
Views
0
Helpful
1
Replies