Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn client 4.0 to 2611 router

I know it is possible and I am real close to having this right. What I am trying to do is use cisco vpn client 4.0 to a router with 12.2.15.t. All of the example are using a network to network vpn not a client to network vpn. The l,clients are on dial up so they have dynamic adddress assigned by their ISP.

The router is using nat and has static mapping. Outside users are natted to web servers inside, and we also have internal machines that get internet acess from this router. I know I have to have the vpn bypass the nat translation, but seem to be missing something. What am i missing to get this work. Thanks in advance.

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname test

!

boot system flash c2600-ik9o3s3-mz.122-15.T.bin

logging queue-limit 100

enable secret xxxxxxxxxxxxxxx

!

username test1 password xxxxxxxxxxx

username test1 password xxxxxxxxxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa session-id common

ip subnet-zero

!

!

ip name-server 10.10.90.6

!

ip audit notify log

ip audit po max-events 100

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key xxxxxxxxxxx

dns 10.10.90.6

pool ippool

acl 105

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

description connected to EthernetLAN_1

ip address 10.10.90.2 255.255.255.0

ip access-group 10 out

ip nat inside

half-duplex

!

interface Serial0/0

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description connected to Internet

ip address 66.66.66.22 255.255.255.252

ip access-group 2 in

ip nat outside

frame-relay interface-dlci 601

crypto map clientmap

!

interface Ethernet0/1

description connected to EthernetLAN

ip address 66.66.66.129 255.255.255.192

ip helper-address 10.10.90.6

half-duplex

!

ip local pool ippool 10.10.95.1 10.10.95.10

ip nat inside source list 1 interface Serial0/0.1 overload

ip nat inside source static tcp 10.10.90.7 25 67.37.116.180 25 extendable

ip nat inside source static tcp 10.10.90.15 80 67.37.116.131 80 extendable

ip nat inside source static tcp 10.10.90.8 80 67.37.116.130 80 extendable

ip nat inside source static tcp 10.10.90.8 443 67.37.116.130 443 extendable

ip nat inside source static tcp 10.10.90.8 773 67.37.116.130 773 extendable

ip nat inside source static tcp 10.10.90.8 992 67.37.116.130 992 extendable

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

!

!

!

logging 10.10.90.9

access-list 1 permit 67.37.116.128 0.0.0.63

access-list 1 permit 10.10.90.0 0.0.0.255

access-list 2 deny 67.95.75.116

access-list 2 deny 67.37.134.116

access-list 2 deny 217.1.73.6

access-list 2 deny 67.37.204.74

access-list 2 deny 67.117.54.0 0.0.0.255

access-list 2 deny 131.171.48.0 0.0.0.255

access-list 2 deny 67.92.0.0 0.0.255.255

access-list 2 deny 67.40.82.0 0.0.0.255

access-list 2 deny 61.0.0.0 0.255.255.255

access-list 2 deny 67.113.86.0 0.0.0.255

access-list 2 deny 67.104.151.0 0.0.0.255

access-list 2 deny 194.0.0.0 0.255.255.255

access-list 2 deny 202.0.0.0 0.255.255.255

access-list 2 deny 203.0.0.0 0.255.255.255

access-list 2 deny 210.0.0.0 0.255.255.255

access-list 2 deny 67.17.128.0 0.0.0.255

access-list 2 deny 211.0.0.0 0.255.255.255

access-list 2 deny 212.0.0.0 0.255.255.255

access-list 2 deny 67.105.254.0 0.0.0.255

access-list 2 deny 213.0.0.0 0.255.255.255

access-list 2 deny 67.92.202.0 0.0.0.255

access-list 2 deny 218.0.0.0 0.255.255.255

access-list 2 deny 219.0.0.0 0.255.255.255

access-list 2 deny 220.0.0.0 0.255.255.255

access-list 2 deny 221.0.0.0 0.255.255.255

access-list 2 deny 216.35.10.0 0.0.0.255

access-list 2 deny 61.134.74.0 0.0.0.255

access-list 2 deny 213.35.0.0 0.0.255.255

access-list 2 permit any

access-list 10 deny 67.37.116.170

access-list 10 permit any

access-list 105 permit ip 10.10.90.0 0.0.0.255 10.10.95.0 0.0.0.255

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

!

line con 0

exec-timeout 0 0

password

line aux 0

line vty 0 4

password

!

end

5 REPLIES
Bronze

Re: vpn client 4.0 to 2611 router

Hi there,

I believe you are looking for this link:

http://www.cisco.com/warp/public/471/ios-unity.html

Your IOS router is not configured to do local Authorization which is required for 3.x or 4.x client to connect

Jazib

New Member

Re: vpn client 4.0 to 2611 router

As mentioned by Jazib you need to add something such as:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

This will let you authenticate locally useing you command:

username XXXX password YYYY

- Brett

New Member

Re: vpn client 4.0 to 2611 router

Hi Jazib,

I noticed the fact that a local user account in the prerequisites for this solution, but are you saying that no external authentication server can be used for CIsco VPN client authentication - al all??!

Patrick

New Member

Re: vpn client 4.0 to 2611 router

I seem to be able to authenicate, the client takes my group and username / passwords without problems. I am having problems get to bypass nat with the ipsec.

Bronze

Re: vpn client 4.0 to 2611 router

You can certainly use an external authentication server like Radius or Tacacs.

I hope the following 2 documents would help

Jazib

http://www.cisco.com/warp/public/707/ios_usr_rad.html

http://www.cisco.com/warp/public/480/ipsec-ios-tacacs.html

180
Views
0
Helpful
5
Replies
CreatePlease to create content